Wednesday, September 8, 2010

Installing ejabberd under Centos 5.5, with AD auth and PostgreSQL backend

Ejabberd is a popular IM server in the open source community. It uses the XMPP protocol (the same as google). In this guide I will install it and configure it to enable AD authentication and to use a PostgreSQL database for the data.

Installing ejabberd
First of all download latest stable ejabberd version from
There are two choices for installing ejabberd. Like most of Linux packages you can install it using the binary file or compiling the source code. In this case we will use the binary since this way is easy an installs the necessary modules .

Give the binary execution permissions:
#chmod +x /root/ejabberd-2.1.5-linux-x86_64-installer.bin
Execute the binary:
./ejabberd-2.1.5-linux-x86_64-installer.bin
Complete the installation procedure answering  all questions that the installer prompts.

Open ports in firewall for ejabberd:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5222 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5223 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5269 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5280 -j ACCEPT

Now, you must add  the user account ejabberd to start ejabberd daemon.
#useradd -c "ejabber user" ejabberd

Ejabberd uses a particular database for its data. If you installed it being root you should give this directory and logs directory the appropriate permissions

#chown -R ejabberd /opt/ejabberd-2.1.5/database
# chown -R ejabberd /opt/ejabberd-2.1.5/logs
#chmod u+w /opt/ejabberd-2.1.5/database
#chmod u+w /opt/ejabberd-2.1.5/logs

Now,  you are ready to start the server. Copy init script from /opt/ejabberd-2.1.5/bin/ejabberd.init to /etc/init.d and rename it as ejabberd.
#service ejabberd start
#ps aux | grep ejabberd

Now, you should add an account for admin purposes
#su - ejabberd /opt/ejabberd-2.1.5/bin/ejabberdctl register admin_user your_virtual_host  your_pass
Your_virtual_host parameter is the virtual host that you grant access to admin. In your sever you may have several virtual hosts.

Grant access to the user in ejabberd ACLs as admin
#vi /etc/ejabberd/ejabberd.cfg
Add to the ACLs section:
{acl, admin, {user, "admin_user", "your_virtual_sever"}}. %%(the final dot is mandatory according Erlang syntax)


Login in to the web interface to see if all is ok for now:
your_server  is the IP address or the domain name of the computer running ejabberd
Use the credentials you registered previously in the form
admin_user@your_virtual_host

Postgresql database
Now we will configure ejabberd to store data in Postgresql database, not for auth. First of all install postgresql server  on your box.
#yum install postgresql-server.x86_64
Configure user postgres with passwd:
#su postgres
#psql  
# ALTER USER postgres WITH PASSWORD 'your_pass';

Create the database ejabberd:
#sudo -u postgres createdb ejabberd

With the supplied script create the tables:
#su postgres
#psql ejabberd < /opt/ejabberd-2.1.5/lib/ejabberd-2.1.5/priv/odbc/pg.sql

Add an user "ejabberd" to interact with the database (if you want). In this case I did it through pgadmin visual client.

Configure the odbc connections parameters in ejabberd.cfg:
{odbc_server, {pgsql, "127.0.0.1", "ejabberd", "ejabberd", "your_pass"}}.

Now configure the modules that you desires to use with this odbc. In this case I selected:
mod_offline_odbc
mod_privacy_odbc
mod_private_odbc
 mod_pubsub_odbc
mod_roster_odbc

In a first moment I selected vcard_odbc  and odbc auth to test this config. This will change in a while.

In this moment you can test your server by adding accounts to it, through a client. For that, you should enable in-band registration. It allows users to register using a client.
%% In-band registration
{access, register, [{allow, all}]}.

Now, we will continue by adding Active Directory support for auth and vcard.

AD auth
Firsts of all, change the authentication mode to ldap in ejabberd.cfg
{auth_method, ldap}.

Downlaod ldapadmin from http://ldapadmin.sourceforge.net/ this tool helps you to identify the correct DN for the objects that you need to configure for LDAP auth.

Create a domain account, it will be used to query the Domain Controllers. Using ldap admin get the user's CN and the base CN for search.
{ldap_rootdn, "CN=My_user,CN=Users,DC=example,DC=org"}.
{ldap_password, "My_user_pass"}.
{ldap_base, "OU=Domain Users,DC=example,dc=org"}. %% From this base in LDAP, the search will take place
{ldap_uids, [{"userPrincipalName","%u@example.org"}]}. %% LDAP attribute which holds a list of attributes to use as alternatives for getting the JID

Now we will configure the vcard module to retrieve the info from AD servers.

{mod_vcard_ldap,
   [{ldap_vcard_map, %% It maps the LDAP attributes in to friendly names 
     [{"NICKNAME", "%u", []},
      {"GIVEN", "%s", ["givenName"]},
      {"MIDDLE", "%s", ["initials"]},
      {"FAMILY", "%s", ["sn"]},
      {"FN", "%s", ["displayName"]},
      {"EMAIL", "%s", ["mail"]},
      {"ORGNAME", "%s", ["company"]},
      {"ORGUNIT", "%s", ["department"]},
      {"CTRY", "%s", ["c"]},
      {"LOCALITY", "%s", ["l"]},
      {"STREET", "%s", ["streetAddress"]},
      {"REGION", "%s", ["st"]},
      {"PCODE", "%s", ["postalCode"]},
      {"TITLE", "%s", ["title"]},
      {"URL", "%s", ["wWWHomePage"]},
      {"DESC", "%s", ["description"]},
      {"TEL", "%s", ["telephoneNumber"]}]},
    {ldap_search_fields, %% It specifies the posible search fields when you want to search an user
     [{"User", "%u"},
      {"Name", "givenName"},
      {"Family Name (Surname)", "sn"},
      {"Email", "mail"},
      {"Company", "company"},
      {"Department", "department"},
      {"Role", "title"},
      {"Description", "description"},
      {"Phone", "telephoneNumber"}]},
    {ldap_search_reported, %% It specifies the reported fields as result of the search
     [{"Full Name", "FN"},
      {"Nickname", "NICKNAME"},
      {"Email", "EMAIL"}]}
   ]
  },

That's all. Now you must have a fully functional ejabberd IM server. Pretty soon I will post how to configure a cluster of servers.