LDAP support auth not working

Sorry, forgot my current LDAP conf from ejabberd.conf

%%% ==============
%%% AUTHENTICATION

%%
%% auth_method: Method used to authenticate the users.
%% The default method is the internal.
%% If you want to use a different method,
%% comment this line and enable the correct ones.
%%
%%{auth_method, internal}.

%%
%% Authentication using external script
%% Make sure the script is executable by ejabberd.
%%
%%{auth_method, external}.
%%{extauth_program, "/path/to/authentication/script"}.

%%
%% Authentication using ODBC
%% Remember to setup a database in the next section.
%%
%%{auth_method, odbc}.

%%
%% Authentication using PAM
%%
%%{auth_method, pam}.
%%{pam_service, "pamservicename"}.

%%
%% Authentication using LDAP
%%
{auth_method, ldap}.
%%
%% List of LDAP servers:
{ldap_servers, ["localhost"]}.
%%
%% Encryption of connection to LDAP servers (LDAPS):
{ldap_encrypt, none}.
%%{ldap_encrypt, tls}.
%%
%% Port connect to LDAP server:
{ldap_port, 389}.
%%{ldap_port, 636}.
%%
%% LDAP manager:
%%{ldap_rootdn, "dc=example,dc=com"}.
%%
%% Password to LDAP manager:
%%{ldap_password, ""}.
%%
%% Search base of LDAP directory:
{ldap_base, "ou=group,dc=teqneers,dc=de"}.
%%
%% LDAP attribute that holds user ID:
%%{ldap_uids, [{"mail", "%<email address hidden>"}]}.
{ldap_uids, [{"uid","%u"}]}.
%%
%% LDAP filter:
%%{ldap_filter, "(objectClass=shadowAccount)"}.
{ldap_filter, "(objectClass=shadowAccount)"}.

Looks like you've hit [1] because Saucy has Erlang 16B packaged [2] while Debian Testing (from which this version of ejabberd had supposedly been pulled) has the previous Erlang version packaged, R15B [3] and so the bug is not triggered there.

That's just triaging, I don't know how's best to fix it. Will report back later.

1. https://support.process-one.net/browse/EJAB-1612
2. http://packages.ubuntu.com/saucy/erlang-base
3. http://packages.debian.org/wheezy/erlang-base

Status changed to 'Confirmed' because the bug affects multiple users.

The upstream fix was included in ejabberd 2.1.12, and really quite small: https://github.com/processone/ejabberd/commit/2704378d43035474c5f3d8a656b81c7bc28b5ff9

If it proves too difficult to package the newer release, it should be fairly simple to apply the same fix to the 2.1.10 release.

* Konstantin Khomoutov <email address hidden> [2013-10-18 17:18:45 CEST]:
> Looks like you've hit [1] because Saucy has Erlang 16B packaged [2]
> while Debian Testing (from which this version of ejabberd had supposedly
> been pulled) has the previous Erlang version packaged, R15B [3] and so
> the bug is not triggered there.

 Well, [3] is wheezy (which is stable now), not testing. So the issue
also affects Debian testing. :)

 Given that 2.1.12 does fix the issue, I plan to update to 2.1.13 in the
next few days in Debian to fix this issue for Debian. For saucy, we
would need to pull in the change to a saucy update given that saucy has
been released already.

 Enjoy,
Rhonda
--
Fühlst du dich mutlos, fass endlich Mut, los |
Fühlst du dich hilflos, geh raus und hilf, los | Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los |

Fix committed [1].

While testing the fix I discovered that LDAPS (LDAP over SSL) fails to work. This has been found to be caused by R16 compat issues as well, and unfortunately, this will be harder to fix as the problem is about module name clashes between ejabberd and Erlang. Will file a separate bug report for that.

1. http://git.deb.at/w/pkg/ejabberd.git/commit/566ed3c18c94bb2a28ecd4ee11a76396a346e806

Will it be fixed on 13.10 Saucy ?

I have fixed manually.

1. download 2.1.10 source.

2. apply patch on src/eldap.erl

3. compile with following command.
erlc -DSSL40 -I ../ -pz ../ eldapd.erl

4. replace eldap.beam (/usr/lib/ejabberd/ebin/eldap.beam)

Fix for Trusty (following dgkim's solution):

1. download https://launchpad.net/ubuntu/trusty/+source/ejabberd/2.1.11-1ubuntu2/+files/ejabberd_2.1.11-1ubuntu2.tar.gz
2. apply flatforms patch on src/eldap.erl
3. Compile the ASN.1 dependency: erlc -bber ELDAPv3.asn
4. Compile eldap.erl: erlc -DSSL40 -I ../ -pz ../ eldap.erl
5. replace eldap.beam in /usr/lib/ejabberd/ebin/

NOTE: also for saucy I'm quite sure it is eldap.erl and not eldapd.erl (typo in dgkims solution).

LDAP auth works again like a charm after that patch (ejabberd 2.1.11 on trusty AMD64)

is there a proposed deb available?

For convenience, this patch applies if appended to the quilt patch series on Trusty's ejabberd (i.e. 2.1.11-1ubuntu2).

Source: https://github.com/processone/ejabberd/commit/2704378d43035474c5f3d8a656b81c7bc28b5ff9.

The attachment "fix-LDAP-support-with-erlang-R16A.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Hi Paul,

Sorry, I did not see your patch. I was preparing a patch. I have just uploaded a fix in Utopic and I'm now preparing an upload for trusty.

Stable Realse Update

[IMPACT]

* ejabbard with LDAP authentication enabled.
* user can not authenticate anymore with LDAP backend
* details in upstream bug: https://support.process-one.net/browse/EJAB-1612

[TESTCASE]

Install and ejabbard with LDAP authentication backend.
Without this patch, authentication will fail. With the patch, authentication will work again.

[REGRESSION POTENTIAL]

Minimal, fix is upstream and applied in new ejabberd versions.

This fix was validated on our production (with an ejabbard using LDAP with about 100 accounts).

ejabberd_2.1.11-1ubuntu2.1 with the fix have been uploaded to trusty-proposed and is waiting for SRU Team validation.

Hello Oliver, or anyone else affected,

Accepted ejabberd into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/ejabberd/2.1.11-1ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Tested ejabberd_2.1.11-1ubuntu2.1_amd64.deb from the proposed and it solves the problem.

This bug was fixed in the package ejabberd - 2.1.11-1ubuntu3

---------------
ejabberd (2.1.11-1ubuntu3) utopic; urgency=low

  * Fix LDAP authentication (LP: #1241632)
    - debian/patches/fix-erlang-r16b-compat.patch: backport upstream
      fix for Erlang 16b compatibility.
    - upstream reference: https://support.process-one.net/browse/EJAB-1612
  * Add ufw profile (LP: #1254688)
 -- Lionel Porcheron <email address hidden> Mon, 28 Apr 2014 13:27:21 +0200

This bug was fixed in the package ejabberd - 2.1.11-1ubuntu2.1

---------------
ejabberd (2.1.11-1ubuntu2.1) trusty; urgency=low

  * Fix LDAP authentication (LP: #1241632)
    - debian/patches/fix-erlang-r16b-compat.patch: backport upstream
      fix for Erlang 16b compatibility.
    - upstream reference: https://support.process-one.net/browse/EJAB-1612
 -- Lionel Porcheron <email address hidden> Mon, 28 Apr 2014 12:09:12 +0200

The verification of the Stable Release Update for ejabberd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.