Authenticating Active Directory/LDAP users with ejabberd

From Mike A. Leonetti

Jump to: navigation, search

So, it came to pass that I had to get a good intercompany IM that worked with Active Directory. And I thought, ejabberd does LDAP, that'll work right? And I was right. Only since I didn't know too much about the way Active Directory used LDAP I had to do a lot of searching on the web. Here is what I found works best.



Of course ejabberd needs to be installed with LDAP support. Also, your Active Directory server needs to be set up and you need to know a username/password you can bind with that and list the users.

Also I'd suggest possible the mod_srl ( if you would like to be able to create an "Everyone" group and have everybody listed.

Searching the LDAP tree of Active Directory

We need to find out a little bit about how our Active Directory LDAP tree works. We can browse it using ldapsearch from ldap-tools.

ldapsearch -b "dc=domain,dc=com" -D "DOMAIN\\Administrator" -W -x -h10.10.12.254

Of course replace the IP address with your Active Directory server and the DOMAIN\\Administrator with your actual user that you want to use (it can be Administrator) and remember that DOMAIN has to be your domain. Also replace the base with what your base is. It's likely dc=yourdomain,dc=com.

It will prompt you for the user's password that you want to use to get in.

Now take note of where the users are stored. Mine was stored in ou=DOMAIN Users,dc=aetechgroup,dc=com. We need this for ejabberd.

Configuring ejabberd

Open up your /etc/jabber/ejabberd.cfg file with your favorite editor and find the lines where it starts talking about ldap.


{auth_method, ldap}.

{ldap_servers, [""]}.

{ldap_encrypt, none}.

{ldap_port, 389}.

{ldap_rootdn, "DOMAIN\\Administrator"}.

{ldap_password, "password"}.

{ldap_base, "ou=DOMAIN Users,dc=domain,dc=com"}.

{ldap_uids, [{"sAMAccountName", "%u"}]}.

Of course change the above fields to what you need. If you need encryption set {ldap_encrypt, tls}. as necessary and you may need to change the port.

My Active Directory config had the usernames in he sAMAccountName. But if you need to use other fields use what we searched with in the previous section to find what field you want.

Incorrect/unclear/lacking information?

Write about it on the Discussion page or contact me.

Personal tools
Google AdSense