Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#611229: ejabberd: LDAP auth fails after upgrade

82 views
Skip to first unread message

ian

unread,
Jan 26, 2011, 7:40:01 PM1/26/11
to
Package: ejabberd
Version: 2.1.5-3
Severity: important

After upgrading from 2.1.3-2 to 2.1.5-3 ejabberd fails to authenticate any users. We are using LDAP. A downgrade fixes the issue.

I've been unable to locate anything in the release notes about config changes so I assume it is a bug.

When a user attempts to log in via XMPP the log shows merely:

=INFO REPORT==== 2011-01-26 23:59:56 ===
I(<0.529.0>:ejabberd_listener:232) : (#Port<0.3347>) Accepted connection {{10,4,1,241},7677} -> {{10,4,4,111},5222}

=INFO REPORT==== 2011-01-26 23:59:57 ===
I(<0.553.0>:ejabberd_c2s:598) : ({socket_state,tls,{tlssock,#Port<0.3347>,#Port<0.3349>},<0.552.0>}) Failed authentication for i...@example.com


however when an admin user attempts to log in via the web interface it returns an error:

=ERROR REPORT==== 2011-01-26 22:36:38 ===
E(<0.519.0>:ejabberd_auth:256) : The authentication module ejabberd_auth_ldap returned an error
when checking user "ian" in server "example.com"
Error message: {{case_clause,
{'EXIT',
{function_clause,
[{eldap,'and',
[{'or',
[{equalityMatch,
{'AttributeValueAssertion',"objectClass",
"exampleUser"}},
{equalityMatch,
{'AttributeValueAssertion',"objectClass",
"exampleIT"}}]}]},
{eldap_filter_yecc,yeccpars2_30,7},
{eldap_filter_yecc,yeccpars0,5},
{eldap_filter,parse,2},
{ejabberd_auth_ldap,find_user_dn,2},
{ejabberd_auth_ldap,is_user_exists_ldap,2},
{ejabberd_auth_ldap,is_user_exists,2},
{ejabberd_auth,'-is_user_exists/2-fun-0-',3}]}}},
[{eldap_filter,parse,2},
{ejabberd_auth_ldap,find_user_dn,2},
{ejabberd_auth_ldap,is_user_exists_ldap,2},
{ejabberd_auth_ldap,is_user_exists,2},
{ejabberd_auth,'-is_user_exists/2-fun-0-',3},
{lists,any,2},
{ejabberd_web_admin,get_auth_account,5},
{ejabberd_web_admin,process,2}]}

=ERROR REPORT==== 2011-01-26 22:36:38 ===
W(<0.519.0>:ejabberd_web_admin:220) : Access of "i...@example.com" from "10.4.1.241" failed with error: "inexistent-account"

The upgrade process:

Stopping jabber server: ejabberd.
Unpacking replacement ejabberd ...
Processing triggers for man-db ...
Setting up ejabberd (2.1.5-3) ...
Installing new version of config file /etc/logrotate.d/ejabberd ...
Starting jabber server: ejabberd.
Waiting for ejabberd to register admin user...
Can't register admin user "ad...@jabber.example.com".


The output of ` grep '^[ \t]*[^ \t%]' ejabberd.cfg `:

override_global.
override_local.
override_acls.
{acl, admin, {user, "root", "example.com"}}.
{acl, admin, {user, "ian", "example.com"}}.
{acl, admin, {user, "aa", "example.com"}}.
{acl, admin, {user, "bb", "example.com"}}.
{hosts, ["example.com", "example2.com"]}.
{loglevel, 4}.
{listen,
[
{5222, ejabberd_c2s, [
{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536},
%%zlib,
starttls, {certfile, "/etc/ejabberd/ejabberd.pem"}
]},
{5269, ejabberd_s2s_in, [
{shaper, s2s_shaper},
{max_stanza_size, 131072}
]},
{5555, ejabberd_service, [
{ip, {127, 0, 0, 1}},
{access, all},
{shaper_rule, fast},
{hosts, ["icq.example.com"],
[{password, "abc"}]}
]},
{5556, ejabberd_service, [
{ip, {127, 0, 0, 1}},
{access, all},
{shaper_rule, fast},
{host, "aim.example.com", [{password, "abc"}]}
]},
{5557, ejabberd_service, [
{ip, {127, 0, 0, 1}},
{access, all},
{shaper_rule, fast},
{host, "msn.example.com", [{password, "abc"}]}
]},
{5280, ejabberd_http, [
%%{request_handlers,
%% [
%% {["pub", "archive"], mod_http_fileserver}
%% ]},
%%captcha,
http_bind,
http_poll,
web_admin
]}
]}.
{max_fsm_queue, 1000}.
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
{s2s_default_policy, allow}.
{auth_method, ldap}.
{ldap_servers, ["alpha.ldap.example.com", "ldap.example.com"]}.
{ldap_base, "ou=users,dc=example,dc=com"}.
{ldap_uids, [{"mail", "%u@%d"}]}.
{ldap_filter, "(&(|(objectClass=exampleUser)(objectClass=exampleIT)) (|(accountStatus=active)(accountStatus=migrate)) )"}.
{shaper, normal, {maxrate, 1000}}.
{shaper, fast, {maxrate, 50000}}.
{acl, local, {user_regexp, ""}}.
{access, max_user_sessions, [{10, all}]}.
{access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
{access, local, [{allow, local}]}.
{access, c2s, [{deny, blocked},
{allow, all}]}.
{access, c2s_shaper, [{none, admin},
{normal, all}]}.
{access, s2s_shaper, [{fast, all}]}.
{access, announce, [{allow, admin}]}.
{access, configure, [{allow, admin}]}.
{access, muc_admin, [{allow, admin}]}.
{access, muc, [{allow, all}]}.
{access, register, [{deny, all}]}.
{access, pubsub_createnode, [{allow, all}]}.
{language, "en"}.
{modules,
[
{mod_adhoc, []},
{mod_announce, [{access, announce}]}, % requires mod_adhoc
{mod_caps, []},
{mod_configure,[]}, % requires mod_adhoc
{mod_admin_extra, []},
{mod_disco, []},
{mod_irc, []},
{mod_last, []},
{mod_muc, [
%%{host, "conference.@HOST@"},
{access, muc},
{access_create, muc},
{access_persistent, muc},
{access_admin, muc_admin},
{default_room_options, [
{logging, true}
]},
{max_users, 500}
]},
{mod_muc_log,[
{dirtype, "plain"},
{outdir, "/var/log/ejabberd/muc/"}
]},
{mod_offline, [{access_max_user_messages, max_user_offline_messages}]},
{mod_privacy, []},
{mod_private, []},
{mod_proxy65, [
{access, local},
{shaper, c2s_shaper}
]},
{mod_pubsub, [ % requires mod_caps
{access_createnode, pubsub_createnode},
{pep_sendlast_offline, false},
{last_item_cache, false},
%%{plugins, ["default", "pep"]}
{plugins, ["flat", "hometree", "pep"]} % pep requires mod_caps
]},
{mod_roster, []},
{mod_shared_roster,[]},
{mod_stats, []},
{mod_time, []},
{mod_vcard, []},
{mod_version, []},
{mod_log_chat, [{path, "/var/log/ejabberd/chat"}, {format, html}]},
{mod_http_bind, []},
{mod_vcard_ldap,
[
{ldap_rootdn, ""},
{ldap_password, ""},
{ldap_base, "ou=users,dc=example,dc=com"},
{ldap_uids, [{"cn", "%u"}]},
{ldap_filter, "(&(|(objectClass=exampleUser)(objectClass=exampleIT)) (|(accountStatus=active) (accountStatus=migrate)) )"},
{ldap_vcard_map,
[
{"NICKNAME", "%s", ["displayName"]}, % just use user's part of JID as his nickname
{"GIVEN", "%s", ["givenName"]},
{"FAMILY", "%s", ["sn"]},
{"FN", "%s, %s", ["sn", "givenName"]}, % example: "Smith, John"
{"EMAIL", "%s", ["mail"]}]},
{ldap_search_fields,
[{"User", "%u"},
{"Name", "givenName"},
{"Family Name", "sn"},
{"Email", "mail"}]},
{ldap_search_reported,
[{"Full Name", "FN"},
{"Nickname", "NICKNAME"} ]}
]}%%End mod_vcard_ldap
]}.


-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-trunk-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages ejabberd depends on:
ii adduser 3.112 add and remove users and groups
ii debconf [debconf-2.0] 1.5.32 Debian configuration management sy
ii erlang-asn1 1:14.a-dfsg-1 Erlang/OTP modules for ASN.1 suppo
ii erlang-base [erlang-abi 1:14.a-dfsg-1 Erlang/OTP virtual machine and bas
ii erlang-crypto 1:14.a-dfsg-1 Erlang/OTP cryprographic modules
ii erlang-inets 1:14.a-dfsg-1 Erlang/OTP Internet clients and se
ii erlang-mnesia 1:14.a-dfsg-1 Erlang/OTP distributed relational/
ii erlang-odbc 1:14.a-dfsg-1 Erlang/OTP interface to SQL databa
ii erlang-ssl 1:14.a-dfsg-1 Erlang/OTP implementation of SSL
ii erlang-syntax-tools 1:14.a-dfsg-1 Erlang/OTP modules for handling ab
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libexpat1 2.0.1-7 XML parsing C library - runtime li
ii libpam0g 1.1.1-3 Pluggable Authentication Modules l
ii libssl0.9.8 0.9.8o-1 SSL shared libraries
ii openssl 0.9.8o-1 Secure Socket Layer (SSL) binary a
ii ucf 3.0025 Update Configuration File: preserv
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime

ejabberd recommends no packages.

Versions of packages ejabberd suggests:
pn imagemagick | graphicsmagick- <none> (no description available)
ii libunix-syslog-perl 1.1-2 Perl interface to the UNIX syslog(

-- Configuration Files:
/etc/default/ejabberd changed:
ERL_OPTIONS="-pz /usr/local/lib/ejabberd/ebin -kernel inetrc '/etc/ejabberd/inetrc'"

/etc/ejabberd/inetrc [Errno 13] Permission denied: u'/etc/ejabberd/inetrc'

-- debconf information:
ejabberd/nomatch:
* ejabberd/user: admin
* ejabberd/hostname: jabber.example.com

--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Konstantin Khomoutov

unread,
Jan 27, 2011, 1:10:01 AM1/27/11
to
tag 611229 +moreinfo
thanks

On Thu, Jan 27, 2011 at 12:23:24AM +0000, ian wrote:

> After upgrading from 2.1.3-2 to 2.1.5-3 ejabberd fails to authenticate
> any users. We are using LDAP. A downgrade fixes the issue.

[...]


> however when an admin user attempts to log in via the web interface it
> returns an error:
>
> =ERROR REPORT==== 2011-01-26 22:36:38 ===
> E(<0.519.0>:ejabberd_auth:256) : The authentication module ejabberd_auth_ldap returned an error
> when checking user "ian" in server "example.com"
> Error message: {{case_clause,
> {'EXIT',
> {function_clause,
> [{eldap,'and',
> [{'or',
> [{equalityMatch,
> {'AttributeValueAssertion',"objectClass",
> "exampleUser"}},
> {equalityMatch,
> {'AttributeValueAssertion',"objectClass",
> "exampleIT"}}]}]},

[...]
> [{eldap_filter,parse,2},
[...]


> =ERROR REPORT==== 2011-01-26 22:36:38 ===
> W(<0.519.0>:ejabberd_web_admin:220) : Access of "i...@example.com" from "10.4.1.241" failed with error: "inexistent-account"

[...]


> {auth_method, ldap}.
> {ldap_servers, ["alpha.ldap.example.com", "ldap.example.com"]}.
> {ldap_base, "ou=users,dc=example,dc=com"}.
> {ldap_uids, [{"mail", "%u@%d"}]}.
> {ldap_filter, "(&(|(objectClass=exampleUser)(objectClass=exampleIT)) (|(accountStatus=active)(accountStatus=migrate)) )"}.

Could you please remove the spaces embedded into ldap_filter's value,
retry and report back if it fixes the problem for you?
The idea is that according to my cursory reading through RFC 4515 [1],
it does not allow whitespace before/between/after assertions in the
"filter compositions" (in fact, anywhere except in the values, it seems),
and LDAP parser has been changed in 2.1.5 (or 2.1.4, I can't recall) to
allow usage of the so-called extensible matching rules in the filter.
That change could, in principle, fix LDAP filter parsing rules as a
byproduct invalidating your ldap_filter.

1. http://tools.ietf.org/html/rfc4515

ian+re...@comtek.co.uk

unread,
Jan 27, 2011, 3:40:02 PM1/27/11
to

>> [snip]

> Could you please remove the spaces embedded into ldap_filter's value,
> retry and report back if it fixes the problem for you?
> The idea is that according to my cursory reading through RFC 4515 [1],
> it does not allow whitespace before/between/after assertions in the
> "filter compositions" (in fact, anywhere except in the values, it seems),
> and LDAP parser has been changed in 2.1.5 (or 2.1.4, I can't recall) to
> allow usage of the so-called extensible matching rules in the filter.
> That change could, in principle, fix LDAP filter parsing rules as a
> byproduct invalidating your ldap_filter.
>
> 1. http://tools.ietf.org/html/rfc4515
>

Success! Thank you for the quick response.

I've used whitespace in LDAP filters before without realising that it
isn't strictly legal. As far as I am concerned my problem is resolved,
though.

Thanks,

Ian

0 new messages