offline messages and mod_auth_ldap

[quantumriff]

We are using mod_auth_ldap for one of our virtual domains in prosody, and i'm not sure if its related, but nobody on this domain can utilize offline messages. I have tried manually adding offline under the 'modules_enabled' section of the config even, and while I see an offline folder in /var/lib/prosody/example.com/offline there is nothing in there.

I am running prosody from the trashy RPM: prosody-0.8.2-1.el6.trashy.x86_64

For the domains that are not using ldap authentication, I see things in the offline folder.  Trying to send an offline message to a user (anonymized) with the debug logs shows this:

Apr 18 08:44:21 c2s2515dc0      debug   Received[c2s]: <message id='purple4670a7b' type='chat' to='sm...@example.com'>

Apr 18 08:44:23 c2s2515dc0      debug   Received[c2s]: <message id='purple4670a7c' type='chat' to='sm...@example.com'>

Apr 18 08:44:23 c2s2515dc0      debug   Received[c2s]: <message id='purple4670a7d' type='chat' to='sm...@example.com'>

But I cannot find any trace of the message.

Any ideas on what I can do to troubleshoot further?

thanks

brian

[Rob Hoelz]

Which LDAP plugin are you using? There's an earlier one, as well as a
suite of plugins that I wrote.

If you're using mine and you have storage set to use LDAP (for rosters
and groups), you'll need to tell Prosody to use the default storage
driver for offline messages.

-Rob

[brian.w...@gmail.com]

oops, accidentally sent directly, instead of back to list: 

to be honest, I'm not sure to tell which version it is.. here is the top comments from the file:

-- vim:sts=4 sw=4

-- Prosody IM

-- Copyright (C) 2008-2010 Matthew Wild

-- Copyright (C) 2008-2010 Waqas Hussain

-- Copyright (C) 2012 Rob Hoelz

--

-- This project is MIT/X11 licensed. Please see the

-- COPYING file in the source package for more information.

--

-- http://code.google.com/p/prosody-modules/source/browse/mod_auth_ldap/mod_auth_ldap.lua

-- adapted to use common LDAP store

I don't have any roster stuff defined, just users and groups.

How would I tell it to use default storage for offline?

thanks,

brian

[Matthew Wild]

Hi,

On 18 April 2013 17:16, Rob Hoelz <r...@hoelz.ro> wrote:
> On Thu, 18 Apr 2013 06:50:02 -0700 (PDT)
> quantumriff <brian.w...@gmail.com> wrote:
>
>> We are using mod_auth_ldap for one of our virtual domains in prosody,
>> and i'm not sure if its related, but nobody on this domain can
>> utilize offline messages. I have tried manually adding offline under
>> the 'modules_enabled' section of the config even, and while I see an
>> offline folder in /var/lib/prosody/example.com/offline there is
>> nothing in there.
>>
>

> Which LDAP plugin are you using? There's an earlier one, as well as a
> suite of plugins that I wrote.
>
> If you're using mine and you have storage set to use LDAP (for rosters
> and groups), you'll need to tell Prosody to use the default storage
> driver for offline messages.

Actually no, offline messages currently always go to the filesystem.

It *could* be something to do with the auth provider saying whether or
not the user exists...

Regards,
Matthew

[brian.w...@gmail.com]

Matthew, 

Sorry, I was out for a bit... Is there any way I could test this theory? I don't see much in the logs. Intestingly, we use the same LDAP accounts for linux logins.  so if PAM was going to query the user, it should resolve correctly.

Both roster and vcard folders seem to be working fine.  only offline is empty.

[Matthew Wild]

Hi Brian,

Sorry... this thread fell off my radar.

On 24 April 2013 16:42, brian.w...@gmail.com

<brian.w...@gmail.com> wrote:
> Matthew,
> Sorry, I was out for a bit... Is there any way I could test this theory? I
> don't see much in the logs. Intestingly, we use the same LDAP accounts for
> linux logins. so if PAM was going to query the user, it should resolve
> correctly.

I checked the code, and it does test for user existence. You could
verify it is working by replacing the user_exists() function in the
module with this one:

function provider.user_exists(username)
local params = ldap.getparams()

local filter = ldap.filter.combine_and(params.user.filter,
params.user.usernamefield .. '=' .. username);

local exists = ldap.singlematch {
base = params.user.basedn,
filter = filter,
};
module:log("debug", "User %s exists: %s", tostring(not not exists));
return exists;
end

Don't forget to enable debug logging (or change "debug" to "info" here).

Let us know how it goes.

Regards,
Matthew

[brian.w...@gmail.com]

Sorry to take so long to reply.

First, sorry if I goofed up some stuff, I'm a sysadmin, and know a bit of python, perl, and bash. Lua is foreign to me.

I modified the function like you said.  When trying to send an offline message, I saw this:

May 20 23:46:33 datamanager     debug   Assuming empty offline storage ('cannot open /var/lib/prosody/example%2ecom/offline/briffle.list: No such file or directory') for user: bri...@example.com

In ldap, briffle is my UID.

I tried to create that file, owned by prosody:

touch /var/lib/prosody/example%2ecom/offline/briffle.list

chown prosody.prosody /var/lib/prosody/example%2ecom/offline/briffle.list

I then tried again, and got some ugly looking errors in the logs:

May 20 23:52:06 s2sin24bd0e0    debug   Received[s2sin]: <message id='purple3db503fb' type='chat' to='bri...@example.com' from='briffle@********/vm'>

May 20 23:52:06 May 20 23:52:06 xmppserver_listener     error   Traceback[s2s]: /usr/lib64/prosody/core/loggingmanager.lua:286: bad argument #3 to 'format' (string expected, got no value): stack traceback:

        /usr/lib64/prosody/net/xmppserver_listener.lua:57: in function </usr/lib64/prosody/net/xmppserver_listener.lua:57>

        [C]: in function 'format'

        /usr/lib64/prosody/core/loggingmanager.lua:286: in function '?'

        /usr/lib64/prosody/util/logger.lua:61: in function </usr/lib64/prosody/util/logger.lua:51>

        (tail call): ?

        (tail call): ?

        /usr/lib64/prosody/modules/mod_auth_ldap.lua:39: in function </usr/lib64/prosody/modules/mod_auth_ldap.lua:29>

        (tail call): ?

        /usr/lib64/prosody/modules/mod_message.lua:48: in function </usr/lib64/prosody/modules/mod_message.lua:19>

        (tail call): ?

        /usr/lib64/prosody/util/events.lua:67: in function 'fire_event'

        ...

        [C]: in function 'parse'

        /usr/lib64/prosody/util/xmppstream.lua:200: in function 'feed'

        /usr/lib64/prosody/net/xmppserver_listener.lua:130: in function 'data'

        /usr/lib64/prosody/net/xmppserver_listener.lua:163: in function </usr/lib64/prosody/net/xmppserver_listener.lua:160>

        (tail call): ?

        /usr/lib64/prosody/net/server_select.lua:820: in function </usr/lib64/prosody/net/server_select.lua:802>

        [C]: in function 'xpcall'

        /usr/lib64/prosody/../../bin/prosody:427: in function 'loop'

        /usr/lib64/prosody/../../bin/prosody:494: in main chunk

        [C]: ?

May 20 23:52:12 datamanager     debug   Removing empty offline datastore for user bri...@example.com

Not sure if it helps or not, but the ldap definition in my config is this:

ldap = {

    hostname = 'ldap-slave.example.local',

    ldap_tls = 'true',

    user = {

        basedn = 'ou=People,dc=example,dc=local',

        usernamefield = 'uid',

            namefield = 'cn',

        filter = '(&(objectClass=posixAccount)(gidNumber=10001))',

#they have to belong to group 10001, our "all staff" group to get an account

    },

    groups = {

        basedn = 'ou=group,dc=example,dc=local',

        memberfield = 'memberUid',

        namefield = 'cn',

        {

            name = 'Example Employees',

            cn = 'exampleStaff',

        },

        {

            name = 'SysAdmins',

            cn = 'sysadmin',

            admin = true,

        },

    },

};

I did not see any errors, probably because of the error that caused a traceback.

Any other ideas I can try?

Thanks

Brian

[Matthew Wild]

Hi,

On 21 May 2013 06:09, brian.w...@gmail.com <brian.w...@gmail.com> wrote:
> Sorry to take so long to reply.
>
> First, sorry if I goofed up some stuff, I'm a sysadmin, and know a bit of
> python, perl, and bash. Lua is foreign to me.

If you can manage a language like Python, Lua really isn't that much
to deal with :)

> I modified the function like you said. When trying to send an offline
> message, I saw this:
>
> May 20 23:46:33 datamanager debug Assuming empty offline storage
> ('cannot open /var/lib/prosody/example%2ecom/offline/briffle.list: No such
> file or directory') for user: bri...@example.com

This isn't an error (which is why it says 'debug'). It just means the
file doesn't exist, therefore there are no offline messages. The
system message is displayed for debugging purposes.

> I then tried again, and got some ugly looking errors in the logs:
> May 20 23:52:06 s2sin24bd0e0 debug Received[s2sin]: <message
> id='purple3db503fb' type='chat' to='bri...@example.com'
> from='briffle@********/vm'>
> May 20 23:52:06 May 20 23:52:06 xmppserver_listener error
> Traceback[s2s]: /usr/lib64/prosody/core/loggingmanager.lua:286: bad argument
> #3 to 'format' (string expected, got no value): stack traceback:

Gah, sorry. This was a bug in the code I sent you in my previous email.

Change this line:

module:log("debug", "User %s exists: %s", tostring(not not exists));

to this:

module:log("debug", "User %s exists: %s", username, tostring(not not exists));

Then try sending someone an offline message again.

Regards,
Matthew

[Brian Riffle]

Your extra logging is putting this in the logs:
May 21 22:06:07 s2sin1a2fba0    debug   Received[s2sin]: <message id='purple6738baf5' type='chat' to='bri...@example.com' from='briffle@***********/vm'>
May 21 22:06:07 example.com:auth_ldap     debug   User briffle exists: false
May 21 22:06:07 s2sout1938700   debug   going to send stanza to *********** from example.com
May 21 22:06:07 s2sout1938700   debug   sending: <message id='purple6738baf5' type='error' to='briffle@***********/vm' from='bri...@example.com'>
May 21 22:06:07 s2sout1938700   debug   stanza sent over s2sout
May 21 22:06:07 c2s201b780      debug   Received[c2s]: <iq id='purple886b38f0' type='get'>
May 21 22:06:10 s2sin1a2fba0    debug   Received[s2sin]: <message id='purple6738baf6' type='chat' to='bri...@example.com' from='briffle@***********/vm'>
May 21 22:06:10 example.com:auth_ldap     debug   User briffle exists: false
May 21 22:06:10 s2sout1938700   debug   going to send stanza to *********** from example.com
May 21 22:06:10 s2sout1938700   debug   sending: <message id='purple6738baf6' type='error' to='briffle@***********/vm' from='bri...@example.com'>
May 21 22:06:10 s2sout1938700   debug   stanza sent over s2sout
May 21 22:06:10 s2sin1a2fba0    debug   Received[s2sin]: <message id='purple6738baf7' type='chat' to='bri...@example.com' from='briffle@***********/vm'>
May 21 22:06:10 example.com:auth_ldap     debug   User briffle exists: false
May 21 22:06:10 s2sout1938700   debug   going to send stanza to *********** from example.com
May 21 22:06:10 s2sout1938700   debug   sending: <message id='purple6738baf7' type='error' to='briffle@***********/vm' from='bri...@example.com'>
May 21 22:06:10 s2sout1938700   debug   stanza sent over s2sout
May 21 22:06:10 c2s1b36cf0      debug   Received[c2s]: <iq id='purple3ee0d20b' type='get'>

however, as root, from the console, I can type "groups briffle" and see all my groups.

So it does sound like you originally thought, its not doing an offline, because it doesn't see that person as being an OS user?  In my case every prosody account in LDAP is also a valid unix user account, (well, maybe minus one or two).  However, I know thats not always true with LDAP.

Brian

[quantumriff]

Is there anything Else I can try to debug the problem, given this extra logging?  Is there a way I can adjust how it checks for a valid user?

Brian

[Rob Hoelz]

Hi Brian,

I just wanted to let you know that I'm looking at this.  I can't promise a solution immediately, but I'll be working on it. =)

Just to get some facts: you're just using LDAP for authentication; you're not using any of the storage features, right?

Thanks,
Rob

[Rob Hoelz]

Ok, I tested this on my local Prosody (0.8.2) using the latest plugin from prosody-modules-0.8, using LDAP for authentication but not for storage, and I was able to get offline messages to be written to my data directory.  I then turned on LDAP for storage as well, and was able to get offline messages again.

-Rob

On Wednesday, June 5, 2013 3:07:50 PM UTC+2, quantumriff wrote:

[Brian Riffle]

Rob, thanks for getting back to me.

Here is a slightly anonymized version of my virtual host. (I just changed domains and a few names to example.com)

VirtualHost "example.com"
    ssl = {
        key = "certs/example.com.key";
        certificate = "certs/example.com.crt";
    }

groups_file = "/etc/prosody/groups/examplegroups.txt";

authentication = "ldap";

ldap = {
    hostname = 'ldap-slave.example.local',
    ldap_tls = 'true',
    user = {
        basedn = 'ou=People,dc=example,dc=local',
        usernamefield = 'uid',
            namefield = 'cn',
        filter = '(&(objectClass=posixAccount)(gidNumber=10001))',

    -- user must be in "all staff" group to have account

    },
    groups = {
        basedn = 'ou=group,dc=example,dc=local',
        memberfield = 'memberUid',
        namefield = 'cn',
        {

            name = 'All Employees',
            cn = 'allStaff',

        },
        {
            name = 'SysAdmins',
            cn = 'sysadmin',
            admin = true,
        },
    },
};

Component "conference.example.com" "muc"
    restrict_room_creation = false
Component "jabber.example.local" "proxy65"

Hope this helps,
Brian

--
You received this message because you are subscribed to a topic in the Google Groups "prosody-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/prosody-dev/oLXqFlu7xFo/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to prosody-dev...@googlegroups.com.
To post to this group, send email to proso...@googlegroups.com.
Visit this group at http://groups.google.com/group/prosody-dev?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Rob Hoelz]

The first thing that catches my attention here is that you have a
groups_file configuration parameter set. What plugins do you currently
have loaded? I assume you're using mod_groups, and I'm not sure how it
and mod_storage_ldap will interfere.

Are you able to reproduce this behavior on a standalone installation?
That would be really helpful, especially since we could share
configurations verbatim along with the data stored in LDAP!

Thanks,
Rob

> > to='bri...@example.com <javascript:>'

> > from='briffle@***********/vm'>
> > May 21 22:06:07 example.com:auth_ldap debug User briffle
> > exists: false
> > May 21 22:06:07 s2sout1938700 debug going to send stanza

> > to *********** from example.com <http://example.com>

> > May 21 22:06:07 s2sout1938700 debug sending: <message
> > id='purple6738baf5' type='error' to='briffle@***********/vm'

> > from='bri...@example.com <javascript:>'>

> > May 21 22:06:07 s2sout1938700 debug stanza sent over
> > s2sout May 21 22:06:07 c2s201b780 debug Received[c2s]: <iq
> > id='purple886b38f0' type='get'>
> > May 21 22:06:10 s2sin1a2fba0 debug Received[s2sin]:
> > <message id='purple6738baf6' type='chat'

> > to='bri...@example.com <javascript:>'

> > from='briffle@***********/vm'>
> > May 21 22:06:10 example.com:auth_ldap debug User briffle
> > exists: false
> > May 21 22:06:10 s2sout1938700 debug going to send stanza

> > to *********** from example.com <http://example.com>

> > May 21 22:06:10 s2sout1938700 debug sending: <message
> > id='purple6738baf6' type='error' to='briffle@***********/vm'

> > from='bri...@example.com <javascript:>'>

> > May 21 22:06:10 s2sout1938700 debug stanza sent over
> > s2sout May 21 22:06:10 s2sin1a2fba0 debug Received[s2sin]:
> > <message id='purple6738baf7' type='chat'

> > to='bri...@example.com <javascript:>'

> > from='briffle@***********/vm'>
> > May 21 22:06:10 example.com:auth_ldap debug User briffle
> > exists: false
> > May 21 22:06:10 s2sout1938700 debug going to send stanza

> > to *********** from example.com <http://example.com>

> > May 21 22:06:10 s2sout1938700 debug sending: <message
> > id='purple6738baf7' type='error' to='briffle@***********/vm'

> > from='bri...@example.com <javascript:>'>

[brian.w...@gmail.com]

Rob, last night, I removed the groups definition from LDAP.  We are currently using just the groups file.  We originally tested the ldap one, but there were a few people we needed to add to our group that were part of another federated domain, and it was just easier to have the text document.

Disabling the ldap groups does not seem to have helped offline messaging, however.

Thanks,

Brian

[Rob Hoelz]

Yeah, I wasn't sure if it would...better to use just one or the other, though!  Would you be able to send me a single user LDAP record so I can have a look?

-Rob

[brian.w...@gmail.com]

Rob and I have been emailing back and forth off list (I was sending LDIF data, etc)  and I think we have fixed our problem.  Thought I would post back, for others that google this later. :)

For the ldap->user section of our virtualhost in prosody.cfg.lua, I had this set:

filter = '(&(objectClass=posixAccount)(gidNumber=10001))'

In our case, I only wanted chat accounts for people that were in the "All Staff" group. (I didn't want service users, etc to have access to chat) However, that group is a different record, in ou=group,dc=example,dc=local.  There was nothing in MY record that showed I was in that group. (my primary group, was listed).  Perhaps some better descriptions of the ldap config section would be helpful?

Rob had me try running the command: 

ldapsearch -h <ldapServer> -s sub -b "dc=example,dc=local" -x "(&(&(objectClass=posixAccount)(gidNumber=10001))(uid=briffle))" 

and it returned no results.

However, all my "staff" members in ldap have another option set in their records: zarafaAccount=1 (we use zarafa for email, and love it) By modifying our filter to be: 

filter = '(&(objectClass=posixAccount)(zarafaAccount=1))'  

things seem to be working great!

In addition, Rob pointed out that I had both a text file group, and ldap one. I disabled the ldap one. We have some people that are not in ldap (they are in a different federated xmpp domain on another server) that we wanted to add to our group.

Thanks Mathew and Rob for all your help (and patience),

Brian

On Mon, Jun 10, 2013 at 1:32 AM, Rob Hoelz <r...@hoelz.ro> wrote:

[Rob Hoelz]

I'm glad that we were able to work together to fix your problem.  You mention that that documentation could be clearer; could you provide some suggestions on what to add?  The README and the wiki are stored in Mercurial, so I'd be happy to merge in whatever you'd like to add. =)  Also, if you feel that the plugin code could benefit from some extra warnings or something, please let me know and we can talk about modifying things to be easier for others in the future.

-Rob