Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed | Gopher

Ejabberd Active Directory LDAP Login

Published: 12-06-2013 | Author: Remy van Elst | Text only version of this article


❗ This post is over nine years old. It may no longer be up to date. Opinions may have changed.

This tutorial shows you how to set up ejabberd to authenticate against a Microsoft Active Directory LDAP. It is tested with an mixed Server 2008 / Server 2012 Active Directory, and ejabberd 2.1.10 running on Debian 7 and Ubuntu 12.04.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

If you need to set up an ejabberd server then you can read my tutorial here how to do that.

This tutorial assumes a working ejabberd installation and a working Active Directory installation.

Edit the /etc/ejabberd/ejabberd.cfg file and change the auth_method from internal to LDAP, and use the following example settings:

{host_config, "example.org", [{auth_method, ldap},
{ldap_servers, ["pdc.example.org", "dc2.example.org", "dc3.example.org"]},
{ldap_encrypt, none},
{ldap_port, 389},
{ldap_uids, [{"sAMAccountName", "%u"}]},
{ldap_base, "cn=Users,dc=Example,dc=org"},
{ldap_rootdn, "EXAMPLE\\ejabberd-ldap-account"},
{ldap_password, "HAc4glzWnhhMHSMEJTUq"}]}.
{acl, admin, {user, "adminUser", "example.org"}}.
{acl, admin, {user, "remy", "example.org"}}.

As you can see I use the "Example.org" Active Directory domain with three LDAP AD Domain Controllers and with a special ejabberd LDAP bind account. This can be a normal account, but please create a separate one so that if the config of ejabberd gets compromised you only have to change one password at one place.

After setting up the config give ejabberd a restart:

/etc/init.d/ejabberd restart

And you are all set to go. If you use a clustered setup make sure you set this configuration on all the nodes.

Tags: active-directory , chat , dns , ejabberd , erlang , federation , jabber , ldap , microsoft , tutorials , windows-server , xmpp