Closed ghost closed 6 years ago
If you get the SUCCESS
message, the API token is correct (otherwise, you would get a invalid API token
response or similar).
Can you connect with another client, e.g. Pidgin, to the BOSH URL?
Did you enable time-limited tokens?
Time-limited Tokens are disabled. I thought they just can be enabled if everything worked before. It doesnt even work over Pidgin or Conversations.
Can you tell me more about /etc/xcauth.conf
and especially the log files in /var/log/xcauth
? (Please edit out API secrets and other information you do not want to be public)
Did you create the directories with the right permissions, e.g. by running ./install.sh
?
Is an xcauth.py
process running at all? Which mechanism are you using to communicate between Prosody and xcauth
?
Which lpty version do you use? Did you apply any of the lpty
patches?
# Example xcauth.py configuration file
#
# Preferably put this in /etc,
# and make it readable only for the user the XMPP server is running under
#
type=prosody
#
# secret=anonymized
#
url=https://
# timeout=5
#
#
log=/var/log/xcauth
#
s
, m
, h
, d
, w
is used# cache-query-ttl=4h
cache-query-ttl
. Time is measured as for cache-query-ttl
# cache-verification-ttl=1d
cache-query-ttl
.cache-unreachable-ttl=1w
#
#
#
#
# debug
* cat /var/log/xcauth/xcauth.log brings out:
2018-02-15 19:00:50,093 DEBUG: Start external auth script 1.0.0 for prosody with endpoint: https://
* The xcauth.err is empty.
* Content of prosody.cfg.lua: (Don't wonder about the commented-out sql-settings (anonymized o.c.) i ran this as a seperate XMPP server before) & Sorry for the Comments in the configuration, i did use a template and just changed the values to my wanted.
plugin_paths = { "/opt/xmpp-cloud-auth/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial --/etc/prosody/prosody.cfg.lua
admins = { "anonymous>@<anonymized.com" }
modules_enabled = { "roster"; -- Allow users to have a roster. Recommended ;) "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. "tls"; -- Add support for secure TLS on c2s/s2s connections "dialback"; -- s2s dialback support "disco"; -- Service discovery "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. "private"; -- Private XML storage (for room bookmarks, etc.) "vcard"; -- Allow users to set vCards "compression"; -- Stream compression (requires the lua-zlib package installed) "version"; -- Replies to server version requests "uptime"; -- Report how long server has been running "time"; -- Let others know the time here on this server "ping"; -- Replies to XMPP pings with pongs "register"; --Allows clients to register an account on your server "pep"; -- Enables users to publish their mood, activity, playing music and more "carbons"; -- XEP-0280: Message Carbons, synchronize messages accross devices "smacks"; -- XEP-0198: Stream Management, keep chatting even when the network drops for a few seconds "mam"; -- XEP-0313: Message Archive Management, allows to retrieve chat history from server "csi"; -- XEP-0352: Client State Indication "http"; -- mod_http needed for XEP-363 "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands "blocking"; -- XEP-0198 blocking of users "watchregistrations"; "register_web"; "bosh"; --"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS. -- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS. -- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have. };
cross_domain_bosh = true consider_bosh_secure = true
allow_registration = false -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts
-- These are the SSL/TLS-related settings. ssl = { certificate = "/etc/prosody/certs/fullchain.pem"; key = "/etc/prosody/certs/privkey.pem"; }
c2s_require_encryption = true -- Force clients to use encrypted connections
-- Force certificate authentication for server-to-server connections? -- This provides ideal security, but requires servers you communicate -- with to support encryption AND present valid, trusted certificates. -- NOTE: Your version of LuaSec must support certificate verification! -- For more information see http://prosody.im/doc/s2s#security
s2s_secure_auth = true
daemonize = false pidfile = "/var/run/prosody/prosody.pid"
--authentication = "internal_hashed" authentication = "external" external_auth_command = "/opt/xmpp-cloud-auth/xcauth.py"
storage = "sql"
-- Make sure to change the password --sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "anonymized", host = "localhost" }
log = { info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging error = "/var/log/prosody/prosody.err"; "*syslog"; }
VirtualHost "anonymized"
--enable http_upload to allow image sharing across multiple devices and clients Component "dump.anonymized.com" "http_upload"
---Set up a MUC (multi-user chat) room server on conference.example.com: Component "conference.anonymized.com" "muc"
compression_level = 9
--http_ports = { 5280 } --http_interfaces = { "*" }
https_ports = { 5281 } https_interfaces = { "*" }
* I did re-run the ./install.sh to make shure everything is in place & with the right permissions.
* I can't find the Process xcauth via the search function of htop and also there is no service "xcauth". Shouldn't this be started automatically or do i need to create the service manually?
* apt-search lpty brings out: lua-lpty/xenial,now 1.0.1-1 amd64 [installed]
xcauth
process: It may well be that Prosody starts it only on first use (ejabberd starts it on startup). According to xcauth.log
, it has been started on the first request. So everything seems to be fine there.xcauth
and Nextcloud/JSXC seem to work as they should. That leaves Prosody: Can you try to log in again and provide xcauth.log
and prosody.log
for that period?
When i looked into the prosody.log i needed to diable a few plugins, maybe thats because of the different Plugin path from xmpp-cloud-auth? Can i just copy the plugins from the old plugins folder or are they not compatble? Which modules are required for xmpp-cloud-auth?, maybe that could be a problem...
Anyway heres the prosody.log:
Feb 19 10:44:25 general info Hello and welcome to Prosody version 0.9.10
Feb 19 10:44:25 general info Prosody is using the select backend for connection handling
Feb 19 10:44:25 sise-it.com:auth_external info External auth with pty command /opt/xmpp-cloud-auth/xcauth.py
Feb 19 10:44:25 portmanager info Activated service 'http' on [::]:5280, [*]:5280
Feb 19 10:44:25 portmanager info Activated service 'https' on [::]:5281, [*]:5281
Feb 19 10:44:25 portmanager info Activated service 'c2s' on [::]:5222, [*]:5222
Feb 19 10:44:25 portmanager info Activated service 'legacy_ssl' on no ports
Feb 19 10:44:25 modulemanager error Unable to load module 'mam': /usr/lib/prosody/modules/mod_mam.lua: No such file or directory
Feb 19 10:44:25 portmanager info Activated service 's2s' on [::]:5269, [*]:5269
Feb 19 10:44:25 modulemanager error Unable to load module 'http_upload': /usr/lib/prosody/modules/mod_http_upload.lua: No such file or directory
Feb 19 10:44:25 hostmanager warn conference.sise-it.com: Option 'https_ports' has no effect for virtual hosts - put it in the server-wide section instead
Feb 19 10:48:15 mod_bosh info New BOSH session, assigned it sid '3c33637a-3c9c-4b5e-b5a8-a45f20b0c93b'
Feb 19 10:48:15 sise-it.com:auth_external warn Unable to interpret data from auth process, [35 bytes]
And here the xcauth.log:
2018-02-19 10:48:15,736 DEBUG: Start external auth script 1.0.0 for prosody with endpoint: https://anonymized/index.php/apps/ojsxc/ajax/externalApi.php
2018-02-19 10:48:15,738 DEBUG: Receive operation auth
2018-02-19 10:48:15,738 DEBUG: Token is too short: 5 != 23 (maybe not a token?)
2018-02-19 10:48:15,741 DEBUG: Starting new HTTPS connection (1): anonymized.com
2018-02-19 10:48:15,980 DEBUG: https://anonymized:443 "POST /index.php/apps/ojsxc/ajax/externalApi.php HTTP/1.1" 200 44
2018-02-19 10:48:15,983 INFO: SUCCESS: Cloud says password for anonymous@anonymized.com is valid
On more thing: My cloud is running on cloud,mydomain.com while prosody ist running directly on mydomain.com but its resulting on the same IP-Adress so that couldnt be the problem, right?
Ok, now its getting weird... I can login now, but only on second try after the login in my Cloud. Thats reflected by the prosody.log too:
Feb 19 11:02:30 mod_bosh info New BOSH session, assigned it sid '3aacf3ba-544e-4ecb-9509-42fd7049ee2a'
Feb 19 11:02:36 sise-it.com:auth_external warn Error while waiting for result from auth process: unknown error
Feb 19 11:02:40 mod_bosh info New BOSH session, assigned it sid 'd3513069-08ff-4df0-921a-375690ffbd37'
Feb 19 11:02:40 boshd3513069-08ff-4df0-921a-375690ffbd37 info Authenticated as hannes@anonymized.com
Feb 19 11:03:21 mod_bosh info New BOSH session, assigned it sid '921fb10b-c52a-47d9-9e51-37c44b1f50af'
Feb 19 11:03:26 sise-it.com:auth_external warn Error while waiting for result from auth process: unknown error
Feb 19 11:03:28 mod_bosh info New BOSH session, assigned it sid 'efad2674-58b1-454c-af99-36011e5da35b'
Feb 19 11:03:29 boshefad2674-58b1-454c-af99-36011e5da35b info Authenticated as hannes@anonymized.com
Feb 19 11:03:55 sise-it.com:auth_external warn Error while waiting for result from auth process: unknown error
Feb 19 11:04:06 sise-it.com:auth_external warn Error while waiting for result from auth process: unknown error
Feb 19 11:04:16 c2s212d320 info Client connected
Feb 19 11:04:25 c2s212d320 info Client disconnected: closed
Feb 19 11:04:49 mod_bosh info New BOSH session, assigned it sid 'd9756fdb-10fd-4b97-b2e3-cb11e717351f'
Feb 19 11:04:54 sise-it.com:auth_external warn Error while waiting for result from auth process: unknown error
Feb 19 11:05:11 mod_bosh info New BOSH session, assigned it sid 'd6e6f129-8415-4cc9-ae01-4f9c4f278293'
Feb 19 11:05:17 sise-it.com:auth_external warn Error while waiting for result from auth process: unknown error
Feb 19 11:05:19 mod_bosh info New BOSH session, assigned it sid 'c6dcf7e9-6684-42db-ae5c-a16491add5c2'
Feb 19 11:05:20 boshc6dcf7e9-6684-42db-ae5c-a16491add5c2 info Authenticated as hannes@anonymized.com
Now thats very interesting... When i got a login, i could also add a contact and write a message... But why is it working only on second try. I cant login via Conversations.
Update: I did create a Test User for the Nextcloud for testing the message transfer. Its working. Now i also can login on first try... Can i re-enable my modules such as http_upload for example when copying them to the plugin folder? Is there a list of supported plugins for xmpp-cloud-auth?
Update 2: The Authentification does now work in 99% of tries. I think the Problem was at least the old plugins, which were not present in the new Plugin Folder. Last thing remaining is the question if i can use my plugins from the old plugin path by copying them into the new folder provided by xmpp-cloud-auth.
Ah, then it's probably the lpty
bug and thus a duplicate of #45 and #21. This has been reported (with patches) to the Prosody team almost a year ago. I am sorry to hear that people are still bitten by it.
As a workaround, use the mod_auth_external.lua
from the ./prosody-modules/
subdirectory.
Do you have a suggestion where from we should reference that part of ./doc/Installation.md
, so that you would have stumbled over it?
Oh... i think the mention in the installation guide is enough but i didnt know that its that issue, because the logs werent telling me that. I will try the workaround :) But anyways it seems to work without that most oft the time too, so we can close this issue. (shall i?) Thanks very much for your help :)
Hello there,
i configured everything like its mentioned in the Documentation. My Bosh URL is working and i can reach it in my browser and its also available in Nextcloud. But i cant login to the XMPP Server in Nextcloud. When i try to do a Test-Login via commandline, im getting the following output:
So it seems like the passwort is correct, but its not getting the correct API Key? But i checked the secret key mutliple times. I've got the xcauth.conf at /etc/ and also at /opt/xmpp-cloud-auth/ (i thought maybe it doesnt get the location of the .conf file in /etc/.
What else do i need to check? Could it be an issue with the API-Secret Codes? PS: I am running Nextcloud 13 Stable with the newest Version of JSXC.
Greetings