mod_shared_roster_ldap doesn't work

romuloslv commented 5 years ago

What version of ejabberd are you using?

ejabberd-18.12.1

What operating system (version) are you using?

CentOS Linux release 7.6.1810 (Core)

How did you install ejabberd (source, package, distribution)?

package

What did not work as expected? Are there error messages in the log? What was the unexpected behavior? What was the expected result?

I would like help setting up my server. I tried everything, but logging in any XMPP client is not returned any group as well as its users from my AD. Authentication and Vcards are working, can anyone tell me how to pass the result of this query to mod_shared_roster_ldap?

ldapsearch -LLL -H ldap://server -x -D 'domain\manager' -w 'password' -E pr=1000/noprompt -b 'OU=Bathroom, OU=Guest Room, OU=Rooms, OU=House , DC=domain, DC=com' '(objectCategory=group) ' displayName member

I have tried to configure the file in several ways but without success.

The above ldapsearch query works in my scenario perfectly, I just want to translate it to the module.

romuloslv commented 5 years ago

my config:

mod_shared_roster_ldap: ldap_base: "OU=Bathroom, OU=Guest Room, OU=Rooms, OU=House , DC=domain, DC=com" ldap_rfilter: "(objectCategory=group)" ldap_gfilter: "(&(objectCategory=group)(memberOf=*))" ldap_groupattr: "sAMAccountName" ldap_groupdesc: "" ldap_memberattr_format: "%u" ldap_memberattr: "sAMAccountName" ldap_ufilter: "(&(objectCategory=user)(uid=%u))" ldap_userdesc: "displayName" ldap_useruid: "sAMAccountName" ldap_auth_check: off

I see the queries of groups being made in debug mode but nothing appears in the gajim.

mremond commented 5 years ago

Did you try to issue the same query manually ? Does it match properly ?

romuloslv commented 5 years ago

I tried several LDAP queries, all return the expected result. Example:

[root@ejabberd ejabberd]# ldapsearch -LLL -H ldap://192.168.11.23 -x -D 'domain\admin' -w 'ejabberd12321' -E pr=1000/noprompt -b 'OU=PE,OU=Guest Room, OU=Rooms, OU=House , DC=domain, DC=com' '(objectCategory=group)' displayName member

dn: CN=ADM-x-PE,OU=Bathroom,OU=Guest Room, OU=Rooms, OU=House , DC=domain, DC=com member: CN=employee,OU=FIN-x-PE,OU=Recife-Pe,OU=domain,DC=domain,DC=com

dn: CN=DIRERC-PE,OU=PE,OU=Guest Room, OU=Rooms, OU=House , DC=domain, DC=com

dn: CN=GEPLAN-PE,OU=PE,OU=Guest Room, OU=Rooms, OU=House , DC=domain, DC=com

dn: CN=RH-x-PE,OU=PE,OU=Guest Room, OU=Rooms, OU=House , DC=domain, DC=com

dn: CN=TI-x-PE,OU=Guest Room, OU=Rooms, OU=House , DC=domain, DC=com member: CN=employee,OU=TI-x-PE,OU=Recife-Pe,OU=domain,DC=domain,DC=com member: CN=employee,OU=_Usuarios Suporte,DC=domain,DC=com

dn: CN=DEMID-PE,OU=Guest Room, OU=Rooms, OU=House , DC=domain, DC=com member: CN=employee,OU=DEMID-PE,OU=Recife-Pe,OU=domain,DC=domain,DC=com member: CN=employee,OU=DEMID-PE,OU=Recife-Pe,OU=domain,DC=domain,DC=com member: CN=employee,OU=DEMID-PE,OU=Recife-Pe,OU=domain,DC=domain,DC=com

dn: CN=DEPRO-PE,OU=Guest Room, OU=Rooms, OU=House , DC=domain, DC=com member: CN=employee,OU=DEPRO-PE,OU=Recife-Pe,OU=domain,DC=domain,DC=com

dn: CN=DIRATE-PE,OU=Guest Room, OU=Rooms, OU=House , DC=domain, DC=com member: CN=employee,OU=DIRATE-PE,OU=Recife-Pe,OU=domain,DC=domain,DC=com member: CN=employee,OU=DIRATE-PE,OU=Recife-Pe,OU=domain,DC=domain,DC=com

dn: CN=FIN-x-PE,OU=Guest Room, OU=Rooms, OU=House , DC=domain, DC=com member: CN=employee,OU=FIN-x-PE,OU=Recife-Pe,OU=domain,DC=domain,DC=com member: CN=employee,OU=FIN-x-PE,OU=Recife-Pe,OU=domain,DC=domain,DC=com member: CN=employee,OU=FIN-x-BA,OU=Salvador,OU=domain,DC=domain,DC=com member: CN=employee,OU=FIN-x-BA,OU=Salvador,OU=domain,DC=domain,DC=com member: CN=employee,OU=FIN-x-BA,OU=Salvador,OU=domain,DC=domain,DC=com

dn: CN=RECP-x-PE,OU=PE,OU=Guest Room, OU=Rooms, OU=House , DC=domain, DC=com

Any idea?

cryol commented 5 years ago

See it

johnnybubonic commented 5 years ago

The same issue continues to occur on 19.02.

I have confirmed that the filters used return the expected results, even manually following the process (using the same bind DN). I have confirmed that the filters are even being processed and returned properly on the LDAP server.

Will this ever be fixed? No errors logged. The roster simply never populates. ejabberdctl srg_list <host> returns nothing, fresh clients never pull a roster at all, etc.

cryol commented 5 years ago

people, I either do not understand you, or you do something wrong: my WORKABLE conf(FreeIPA):

ldap_servers:
   - "auth.ipa.example.com"
ldap_encrypt: none
ldap_port: 389
ldap_rootdn: "uid=ejabberd,cn=sysaccounts,cn=etc,dc=example,dc=com"
ldap_password: "ldappasswd"
ldap_base: "dc=example,dc=com"
ldap_uids:
   - "uid": "%u"
ldap_filter: "(&(objectClass=inetOrgPerson)(!(nsAccountLock=TRUE))(memberOf=cn=xmpp_users,cn=groups,cn=accounts,dc=example,dc=com))"

mod_roster: {}

mod_shared_roster_ldap:
  ldap_base: "cn=users,cn=accounts,dc=example,dc=com"
  ldap_rfilter: "(&(objectClass=inetOrgPerson)(!(nsAccountLock=TRUE))(!(memberOf=cn=service_users,cn=groups,cn=accounts,dc=example,dc=com)))"
  ldap_groupattr: "employeeNumber"
  ldap_memberattr: "uid"
  ldap_userdesc: "displayName"

mod_vcard:
  db_type: ldap
  search: true
  ldap_vcard_map:
    "NICKNAME": {"%u": []}
    "FN": {"%s": ["displayName"]}
    "FAMILY": {"%s": ["sn"]}
    "GIVEN": {"%s": ["givenName"]}
    "ORGNAME": {"%s": ["company"]}
    "ORGUNIT": {"%s": ["department"]}
    "LOCALITY": {"%s": ["l"]}
    "DESC": {"%s": ["description"]}
    "TEL": {"%s": ["mobile"]}
    "EMAIL": {"%s": ["mail"]}
    "PHOTO": {"%s": ["jpegPhoto"]}

  ldap_search_fields:
    "Name": "givenName"
    "Family Name": "sn"
    "Email": "mail"
    "Company": "company"
    "Department": "department"
    "Role": "title"
    "Description": "description"
    "Phone": "telephoneNumber"

  ldap_search_reported:
    "Full Name": "FN"
    "Nickname": "NICKNAME"
    "Birthday": "BDAY"
    "Email": "EMAIL"

Try it

p.s. shared_roster_group NOT LDAP

johnnybubonic commented 5 years ago

"Works for me" is not a fix. Additionally, "p.s. shared_roster_group NOT LDAP" is unclear. Assuming you mean mod_shared_roster_ldap, and assuming you mean it isn't working, yes, we know, which is why this issue is open.

Here's mine.

define_macro:
  'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
  'TLS_OPTS':
    - "no_sslv3"
    - "cipher_server_preference"
    - "no_compression"
  'DH_FILE': "/opt/ejabberd/conf/ssl/dh4096.pem"
loglevel: 5
log_rotate_size: 10485760
log_rotate_date: ""
log_rotate_count: 1
log_rate_limit: 10000
language: "en"
hosts:
  - "domain1.tld"
  - "domain2.tld"
  - "domain3.tld"
  - "FQDN.domain.tld"
ca_file: "/etc/letsencrypt/live/FQDN.domain.tld/fullchain.pem"
certfiles:
  - "/etc/letsencrypt/live/FQDN.domain.tld/fullchain.pem"
  - "/etc/letsencrypt/live/FQDN.domain.tld/privkey.pem"
  - "/opt/ejabberd/conf/ssl/domain1.tld.pem"
c2s_dhfile: 'DH_FILE'
s2s_dhfile: 'DH_FILE'
c2s_ciphers: 'TLS_CIPHERS'
s2s_ciphers: 'TLS_CIPHERS'
c2s_protocol_options: 'TLS_OPTS'
s2s_protocol_options: 'TLS_OPTS'
s2s_cafile: "/etc/ssl/certs/ca-bundle.crt"
s2s_use_starttls: required
acme:
   contact: "mailto:ssladmin@domain1.tld"
   ca_url: "https://acme-v01.api.letsencrypt.org"
ldap_tls_cacertfile: "/etc/ssl/certs/ca-bundle.crt"
listen:
  -
    port: 5222
    ip: "::"
    module: ejabberd_c2s
    max_stanza_size: 262144
    shaper: c2s_shaper
    access: c2s
    starttls_required: true
    zlib: true
  -
    port: 5269
    ip: "::"
    module: ejabberd_s2s_in
    max_stanza_size: 524288
  -
    port: 5443
    ip: "::"
    module: ejabberd_http
    request_handlers:
      "/api": mod_http_api
      "/bosh": mod_bosh
      "/upload": mod_http_upload
      "/ws": ejabberd_http_ws
      "/oauth": ejabberd_oauth
    protocol_options: 'TLS_OPTS'
    dhfile: 'DH_FILE'
    ciphers: 'TLS_CIPHERS'
    web_admin: true
    captcha: true
    tls: true
  -
    port: 5280
    ip: "::"
    module: ejabberd_http
    web_admin: false
  -
    port: 1883
    ip: "::"
    module: mod_mqtt
    backlog: 1000
  -
    port: 5269
    ip: "::"
    module: ejabberd_s2s_in
    max_stanza_size: 131072
    shaper: s2s_shaper
  - port: 8888
    ip: "::"
    module: ejabberd_service
    access: all
    shaper: fast
  -
    port: 3478
    transport: udp
    module: ejabberd_stun
disable_sasl_mechanisms: "digest-md5"
outgoing_s2s_families:
 - ipv4
 - ipv6
outgoing_s2s_timeout: 190
shaper:
  normal: 1000
  fast: 50000
shaper_rules:
  max_user_sessions: 10
  max_user_offline_messages:
    - 5000: admin
    - 100
  c2s_shaper:
    - none: admin
    - normal
  s2s_shaper: fast
max_fsm_queue: 10000
acl:
  local:
    user_regexp: ""
  vpn:
    ip:
      - "VPN_IP/32"
  loopback:
    ip:
      - "127.0.0.0/8"
      - "::1/128"
      - "::FFFF:127.0.0.1/128"
  admin:
    user:
      - "admin@FQDN.domain.tld"
access_rules:
  local:
    - allow: local
  c2s:
    - deny: blocked
    - allow
  s2s:
    - deny: blocked
    - allow
  announce:
    - allow: admin
  configure:
    - allow: admin
  muc_create:
    - allow: local
    - allow: vpn
  muc_admin:
    - allow: admin
  pubsub_createnode:
    - allow: local
  register:
    - allow: admin
  trusted_network:
    - allow: loopback
api_permissions:
  "console commands":
    from:
      - ejabberd_ctl
    who: all
    what: "*"
  "admin access":
    who:
      - access:
          - allow:
              - acl: loopback
              - acl: admin
      - oauth:
          - scope: "ejabberd:admin"
          - access:
              - allow:
                  - acl: loopback
                  - acl: admin
    what:
      - "*"
      - "!stop"
      - "!start"
  "public commands":
    who:
      - ip: "127.0.0.1/8"
    what:
      - "status"
      - "connected_users_number"
captcha_cmd: "/opt/ejabberd-current/lib/ejabberd-current/priv/bin/captcha.sh"
captcha_host: "FQDN.domain.tld:5280"
captcha_limit: 5
sql_type: mysql
sql_server: "localhost"
sql_database: "ejabberd"
sql_username: "ejabberd"
sql_password: "SOME_PASSWORD"
sql_pool_size: 5
default_db: sql
new_sql_schema: true
auth_method: [ldap]
ldap_servers:
 - "LDAP_SERVER_FQDN"
ldap_encrypt: tls
ldap_tls_cacertfile: "/etc/ssl/certs/ca-bundle.crt"
ldap_rootdn: "cn=BINDDN_HERE,ou=Servers,dc=DIT,dc=HERE"
ldap_password: "ANOTHER_PASSWORD"
ldap_base: "dc=DIT,dc=HERE"
ldap_uids:
  - "cn"
ldap_filter: "(&(objectClass=extensibleObject)(!(|(pwdLockout=TRUE)(pwdAccountLockedTime=*))))"
allow_contrib_modules: true
modules:
  mod_adhoc: {}
  mod_admin_extra: {}
  mod_announce:
    access: announce
    db_type: sql
  mod_blocking: {}
  mod_bosh: {}
  mod_caps: {}
  mod_carboncopy: {}
  mod_client_state: {}
  mod_configure: {}
  mod_disco: {}
  mod_echo: {}
  mod_fail2ban: {}
  mod_http_api: {}
  mod_http_fileserver:
    docroot: "/opt/ejabberd/database/ejabberd@localhost/www/muc/chat@muc.domain1.tld"
    accesslog: "/opt/ejabberd/logs/access.log"
  mod_http_upload:
    docroot: "@HOME@/upload"
    put_url: "https://@HOST@:5443/upload"
  mod_http_upload_quota:
    max_days: 30
  mod_last:
    db_type: sql
  mod_mam:
   db_type: sql
   assume_mam_usage: true
   default: always
   compress_xml: true
  mod_mqtt: {}
  mod_muc:
    host: "muc.@HOST@"
    access:
      - allow
    access_create: muc_create
    access_mam: muc_admin
    access_persistent: muc_admin
    default_room_options:
      allow_change_subj: false
      logging: true
      allow_subscription: true
      mam: true
    db_type: sql
  mod_muc_admin: {}
  mod_muc_log:
    dirname: room_jid
    dirtype: subdirs
    file_format: html
    file_permissions:
      mode: 750
      group: 993
    spam_prevention: true
    timezone: universal
  mod_multicast:
    access: admin
  mod_offline:
    db_type: sql
    access_max_user_messages: max_user_offline_messages
  mod_ping:
    send_pings: true
    ping_interval: 60
    ping_ack_timeout: 300
    timeout_action: none
  mod_privacy:
    db_type: sql
  mod_private:
    db_type: sql
  mod_privilege: {}
  mod_proxy65:
    access: local
    max_connections: 5
  mod_pubsub:
    access_createnode: pubsub_createnode
    plugins:
      - "flat"
      - "pep"
    force_node_config:
      "storage:bookmarks":
        access_model: whitelist
    db_type: sql
  mod_push:
    db_type: sql
    include_body: true
    include_sender: true
  mod_push_keepalive: {}
  mod_register:
    ip_access: trusted_network
    welcome_message:
      subject: "Welcome to ORGNAME!"
      body: |-
        Hi.
        Welcome to the ORGNAME chat system.
    access: register
    captcha_protected: true
  mod_register_web: {}
  mod_roster:
    db_type: sql
    store_current_id: false
    versioning: true
  mod_s2s_dialback: {}
  mod_shared_roster:
    db_type: sql
  mod_shared_roster_ldap:
    ldap_deref_aliases: finding
    ldap_auth_check: off
    ldap_base: "ou=ChatRosterGroups,dc=DIT,dc=HERE"
    ldap_gfilter: "(&(|(objectClass=groupOfNames)(objectClass=alias))(cn=%g))"
    ldap_groupattr: "displayName"
    ldap_groupdesc: "displayName"
    ldap_memberattr: "member"
    ldap_memberattr_format: "%u"
    ldap_rfilter: "(objectClass=*)"
    ldap_filter: ""
    ldap_userdesc: "displayName"
  mod_sic: {}
  mod_sip: {}
  mod_stats: {}
  mod_stream_mgmt:
    resend_on_timeout: if_offline
  mod_time: {}
  mod_version:
    show_os: false

And hell, here's an example LDIF. If you're so confident, give it a shot with OpenLDAP with OLC. You will find yourself mistaken.

version: 1

dn: dc=DIT,dc=HERE
objectClass: domain
objectClass: top
dc: DIT

dn: ou=Staff,dc=DIT,dc=HERE
objectClass: organizationalUnit
ou: Staff

dn: ou=Groups,dc=DIT,dc=HERE
objectClass: top
objectClass: organizationalUnit
ou: Groups

dn: cn=Manager,dc=DIT,dc=HERE
objectClass: organizationalRole
cn: Manager
description: LDAP Administrator

dn: ou=Servers,dc=DIT,dc=HERE
objectClass: organizationalUnit
ou: Servers

dn: ou=ChatRosterGroups,dc=DIT,dc=HERE
objectClass: organizationalUnit
ou: ChatRosterGroups

dn: cn=USER1,ou=Staff,dc=DIT,dc=HERE
objectClass: top
objectClass: shadowAccount
objectClass: posixAccount
objectClass: extensibleObject
objectClass: inetOrgPerson
cn: USER1
displayName: A User
gecos: A. User
givenName: AUser
# "test"
userPassword: {CRYPT}$6$msq3wmFa91CuphOR$YzfP95zhy5HHSxH.nwIjVr4UfD720KTNfj2qYBLLfttYx5ukb1pTplwFKvdp/n3nVJCoE8xWKIOI8qT6ZKCPM0

dn: cn=USER2,ou=Staff,dc=DIT,dc=HERE
objectClass: top
objectClass: shadowAccount
objectClass: posixAccount
objectClass: extensibleObject
objectClass: inetOrgPerson
cn: USER2
displayName: Another User
gecos: A. User2
givenName: AnotherUser
# "test"
userPassword: {CRYPT}$6$ttYTPmg7VY9sk/qe$IxEu8gvjQ04lqFB6W7Dt2ucrd/dyaEvbWoCrmKdLXBdW7Ojf7FmHW4wPJk1AXZgWJIMN9h92mFa3oqRJfWcgL0

dn: ou=ParentGrp,ou=Groups,dc=DIT,dc=HERE
objectClass: top
objectClass: organizationalUnit
ou: Operations

dn: cn=ChildGrp,ou=ParentGrp,ou=Groups,dc=DIT,dc=HERE
objectClass: extensibleObject
objectClass: top
objectClass: groupOfNames
cn: ChildGrp
member: cn=USER1,ou=Staff,dc=DIT,dc=HERE
description: This group is a test child group.
displayName: ParentGrp: ChildGrp

dn: cn=BINDDN_HERE,ou=Servers,dc=DIT,dc=HERE
objectClass: extensibleObject
objectClass: top
cn: BINDDN_HERE
description: ejabberd
# "ANOTHER_PASSWORD"
userPassword: {CRYPT}$6$k7iVHdQwKRlLKiTz$pChVU75GEvv0aq5JcOW/W5X77Lm67oO8eRk.ibVux1.uHmNKc33woJHjnRXp1sHne6BuLTXd0Z0iPl4Evlg/v.

dn: cn=ParentGrp_ChildGrp,ou=ChatRosterGroups,dc=DIT,dc=HERE
objectClass: top
objectClass: extensibleObject
objectClass: alias
aliasedObjectName: cn=ChildGrp,ou=ParentGrp,ou=Groups,dc=DIT,dc=HERE
cn: ParentGrp_ChildGrp

mrDoctorWho commented 4 years ago

Still no any fix or workaround?

Neustradamus commented 4 years ago

@processone: It will be nice to have on only mod for shared roster.

To change: mod_shared_roster_ldap

In: mod_shared_roster db_type: ldap

It was done for mod_vcard/mod_vcard_ldap.

Thanks in advance.

testdeploys commented 4 years ago

Hello, I'm trying to configure the module 'mod_shared_roster_ldap' too and I can't get it work. I don't know if I'm doing something wrong or there is some kind of issue with this module.

My goal is to see all the groups with their members of the Domain Controller.

My setup is:

-> OS: Ubuntu 18.04.3 -> Jabber: 18.01-2 -> ADDC: Samba 4.7.6

The relevant configuration of Jabber:

auth_method: ldap
ldap_servers:
  - "testserver.lan"
ldap_port: 389
ldap_rootdn: "CN=jabberadmin,CN=Users,DC=testserver,DC=lan"
ldap_password: "somepassword"
ldap_base: "DC=testserver,DC=lan"
ldap_uids:
  "sAMAccountName": "%u"

mod_roster: {}

mod_shared_roster_ldap:
  ldap_rfilter: "(&(objectClass=group)(!(isCriticalSystemObject=*))(!(AdvancedView=*)))"
  ldap_gfilter: "(&(objectClass=group)(cn=%g))"
  ldap_groupattr: "cn"
  ldap_groupdesc: "cn"
  ldap_memberattr: "member"
  ldap_ufilter: "(&(objectClass=user)(cn=%u))"
  ldap_useruid: "sAMAccountName"
  ldap_userdesc: "displayName"

And some entries of LDAP:

###
### User entry:
###
dn: CN=Andrea Garcia,CN=Users,DC=testserver,DC=lan
cn: Andrea Garcia
sn: Garcia
givenName: Andrea
instanceType: 4
whenCreated: 20191204170424.0Z
displayName: Andrea Garcia
uSNCreated: 4081
name: Andrea Garcia
objectGUID: 818ef6ce-d302-412b-9d36-bdb3e1e1b8b2
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-2360836440-2782324857-807239378-1109
accountExpires: 9223372036854775807
sAMAccountName: andrea
sAMAccountType: 805306368
userPrincipalName: andrea@TESTSERVER.LAN
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=testserver,DC=lan
uidNumber: 65536
gidNumber: 2513
quota: 500
pwdLastSet: 132199526644976690
userAccountControl: 512
mail: andrea@testserver.lan
mailbox: testserver.lan/andrea/
userMaildirSize: 0
mailquota: 0
mailHomeDirectory: /var/vmail/
homeDrive: H:
homeDirectory: \\node01.TESTSERVER.LAN\andrea
lastLogon: 132199528087519610
logonCount: 1
lastLogonTimestamp: 132199528087519610
objectClass: top
objectClass: Mail
objectClass: posixAccount
objectClass: person
objectClass: userJabberAccount
objectClass: systemQuotas
objectClass: organizationalPerson
objectClass: user
whenChanged: 20191206112805.0Z
jabberUid: andrea
jabberAdmin: FALSE
uSNChanged: 4144
memberOf: CN=news,CN=Groups,DC=testserver,DC=lan
memberOf: CN=devops,CN=Groups,DC=testserver,DC=lan
distinguishedName: CN=Andrea Garcia,CN=Users,DC=testserver,DC=lan

###
### Group entry:
###
dn: CN=devops,CN=Groups,DC=testserver,DC=lan
objectClass: top
objectClass: posixAccount
objectClass: group
cn: devops
instanceType: 4
whenCreated: 20191206113014.0Z
uSNCreated: 4152
name: devops
objectGUID: a4326eb2-ceed-4a0c-b04e-f1c3c58e330b
objectSid: S-1-5-21-2360836440-2782324857-807239378-1111
sAMAccountName: devops
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=testserver,DC=lan
gidNumber: 3111
member: CN=Andrea Garcia,CN=Users,DC=testserver,DC=lan
member: CN=Gabriel Lop,CN=Users,DC=testserver,DC=lan
whenChanged: 20191206113219.0Z
uSNChanged: 4185
distinguishedName: CN=devops,CN=Groups,DC=testserver,DC=lan

I tested several combinations but none of them worked, for example, I added the options:

_'ldap_memberattrformat: CN=%u,CN=Users,DC=testserver,DC=lan'
_'ldapfilter: "(&(objectClass=user)(memberOf=*))"

Also, here are some LDAP queries:

ldbsearch -H /usr/local/samba/private/sam.ldb "(&(objectClass=group)(!(isCriticalSystemObject=*))(!(AdvancedView=*)))" cn

# record 5
dn: CN=devops,CN=Groups,DC=testserver,DC=lan
cn: devops

# record 6
dn: CN=news,CN=Groups,DC=testserver,DC=lan
cn: news

ldbsearch -H /usr/local/samba/private/sam.ldb "(&(objectClass=group)(cn=marketing))" member

# record 1
dn: CN=devops,CN=Groups,DC=testserver,DC=lan
member: CN=Andrea Garcia,CN=Users,DC=testserver,DC=lan
member: CN=Gabriel Lop,CN=Users,DC=testserver,DC=lan

ldbsearch -H /usr/local/samba/private/sam.ldb "(&(objectClass=user)(sAMAccountName=andrea))" cn

# record 1
dn: CN=Andrea Gracía,CN=Users,DC=testserver,DC=lan
cn:: QW5kcmVhIEdyYWPDrWE=

Anyone can help me ?

licaon-kter commented 4 years ago

Can you test with 19.09.1?

testdeploys commented 4 years ago

Hi @licaon-kter ,

I have tested the version '19.08-2' and I got the same result.

I did more tests in the version '18.01-2' and I found out what is happening in my environment. All my users have a blank space in their CN like 'CN=Maria Gomez,CN=Users,DC=testserver,DC=lan' and because this space, Jabber isn't displaying the group and its members. As soon as I created an user with a CN without space, it displayed the group and its members.

So, is this behaviour a bug ? Is there a way to fix it without making changes in the user's CN ? I saw this issue but honestly, I don't understant it.

Thanks.

Neustradamus commented 4 years ago

Please note: there are always PRs about ldap and shared roster:

https://github.com/processone/ejabberd/pulls?utf8=%E2%9C%93&q=is%3Apr+is%3Aopen+ldap

testdeploys commented 4 years ago

Thanks @Neustradamus but I can't see any Pull Request related to this behaviour.

So, I'm waiting for someone who can confirm if it's bug or just a misconfiguration.

Neustradamus commented 3 years ago

@romuloslv, @cryol, @johnnybubonic, @mrDoctorWho, @testdeploys, @ryba84: With the 21.04 or master, it works perfectly?

Linked to:

ryba84 commented 3 years ago

Its working for me now. Look at #3614

processone / ejabberd

mod_shared_roster_ldap doesn't work #2795