Could not find a default user and password for Ejabber

While attempting to configure the XMPP with the external Ejabber Chat server installed on NS7, the following obstacles are in my way.

  1. Could not find a default user and password for Ejabber, so I used one existing from the LDAP and defined it as admin in ejabber

-----ejabberd.conf-----extract------
% 10AdminUsers
% {acl, admin, {user_regexp, “^(root)$”}}.
{acl, admin, {user, “adminejabber”, “mydomain”}}.
% Only admins can use configuration interface:
{access, configure, [{allow, admin}]}.
---------------------------------------end of extract------
trying to log into the ejabber web interface (adminejabber@mydomain) does not show details… access is granted however no rosters nothing, no node name…

Could someone help ???

  1. On the JSXC plugin of Nextcloud I am failing to contact the BOSH server of Ejabber
    http://myip:5222/http-bind/
    or
    https://myip:5223/http-bind/

none is working.

I appreciate if someone can jump in and help me fix these issues.

I cannot help much, but you may try if there’s more luck creating a jabberadmins group and adding an existing user.

http://docs.nethserver.org/en/v7rc/chat.html
http://docs.nethserver.org/projects/nethserver-devel/en/v7b/nethserver-ejabberd.html

1 Like

@dnutan thank you.
None worked for me.

It is bit strange that Pidgin is not able to register to the chat server where PSI https://psi-im.org is registering normally to port 5222 only.
note: PSI does not require http-bind

-----ejabbered.cfg—extract for http-bind---------
,{5280, ejabberd_http, [tls, {certfile, “/etc/ejabberd/ejabberd.pem”}, http_poll, web_admin, web_admin,{request_handlers, [{[“http-bind”], mod_http_bind}]}]}


When I point my browser to http://myip:5222/http-bind/
I get the following reply

?xml version=“1.0”?
stream:stream id=“15279925592916941269” version=“1.0” from=“mydomain” xmlns:stream=“http://etherx.jabber.org/streams” xmlns=“jabber:client”>
stream:error>
xml-not-well-formed xmlns=“urn:ietf:params:xml:ns:xmpp-streams”/>
/stream:error>
/stream:stream>

I do not recall if that is normal or not and cannot seem to find a solution…

No matter what I change in the ejabber.cfg file every time I restart the ejabberd service the file is regenerated.
Someone from Nethserver has generated these files as the header says:


% ================= DO NOT MODIFY THIS FILE =================
%
% Manual changes will be lost when this file is regenerated.
%
% Please read the developer’s guide, which is available
% at https://dev.nethesis.it/projects/nethserver/wiki/NethServer
% original work from http://www.contribs.org/development/
%
% Copyright © 2013 Nethesis S.r.l.
% http://www.nethesis.it - support@nethesis.it

First the version of Ejabber is 16 hence the config file is no longer with extension .cfg it should be .yml or .yaml
I tried to convert the file to .yml but unfortunately it was not taken into consideration and a new .cfg file was created instead.

Could someone investigate this and revert back please ?

For changes to remain you can use a custom template

Sorry but I can’t figure out what you’re trying to achieve.

If you want to give admin permissions to an existing user, just add the user to the special group jabberadmins. The jabberadmins must be created manually.

From the devel doc:

By the way, we fixed a bug on the BOSH part a couple of days ago , make sure you machine is fully updates.

Reference:

@giacomo

What I am trying to achieve is to gain access to the Ejabber web console in order to manage the Rosters and groups , I do not want everyone to be shown on the list .

Created a group ejabberadmins on both the linux and the LDAP, results same as posted earlier no admin control only user access which is basically useless.

All this related to Nextcloud implementation and required at the nextcloud interface.

  1. The bosh server is not working on ejabber, I am not sure where the problem comes from.
    I have been working on this for few hours with no luck.

I was triggered by something I read on the net about proxy or forwarding, which could be my issue.
If I disable the shorewall firewall, I have no more results for http://myip:5222/http-bind
however the https://myip:5280/http-bind results are always ok

My server is up to date. and I just checked the software center through the web interface.

Command 1
----------curl -k -v https://192.168.23.xx:5280/http-bind-------------

  • About to connect() to 192.168.23.xx port 5280 (#0)
  • Trying 192.168.23.xx…
  • Connected to 192.168.23.xx (192.168.23.xx) port 5280 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • NSS error -5938 (PR_END_OF_FILE_ERROR)
  • Encountered end of file
  • Closing connection 0
    curl: (35) Encountered end of file
    ------------------------------------end of command 1---------

Command 2
---------------------curl -k -v https://192.168.23.xx/http-bind/---------------

  • About to connect() to 192.168.23.xx port 443 (#0)
  • Trying 192.168.23.xx…
  • Connected to 192.168.23.xx (192.168.23.xx) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • skipping SSL peer certificate verification
  • SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • Server certificate:
  •   subject: L=Hometown,C=--,E=root@localhost.localdomain,OU=Main,ST=SomeState,O=Example Org,CN=NethServer
    
  •   start date: Oct 14 06:00:17 2016 GMT
    
  •   expire date: Oct 12 06:00:17 2026 GMT
    
  •   common name: NethServer
    
  •   issuer: L=Hometown,C=--,E=root@localhost.localdomain,OU=Main,ST=SomeState,O=Example Org,CN=NethServer
    

GET /http-bind/ HTTP/1.1
User-Agent: curl/7.29.0
Host: 192.168.23.xx
Accept: /

< HTTP/1.1 502 Proxy Error
< Date: Mon, 17 Oct 2016 15:17:06 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16
< Content-Length: 399
< Content-Type: text/html; charset=iso-8859-1
<

502 Proxy Error **

Proxy Error

** **

The proxy server received an invalid** response from an upstream server.
The proxy server could not handle the request GET /http-bind/.

Reason: Error reading from remote server

* Connection #0 to host 192.168.23.xx left intact

-----------end of command 2-- this is not correct as bosh port is 5280, 522, 5223 and not 443------

Command 3
--------------curl -k -v http://localhost:5222/http-bind/-----------

  • About to connect() to localhost port 5222 (#0)
  • Trying 127.0.0.1…
  • Connected to localhost (127.0.0.1) port 5222 (#0)

GET /http-bind/ HTTP/1.1
User-Agent: curl/7.29.0
Host: localhost:5222
Accept: /

  • Connection #0 to host localhost left intact
<?xml version='1.0'?>

----------- end of command 3------

Command 4
----------------curl -k -v https://localhost:5223/http-bind/-----------------

  • About to connect() to localhost port 5223 (#0)
  • Trying 127.0.0.1…
  • Connection refused
  • Failed connect to localhost:5223; Connection refused
  • Closing connection 0
    curl: (7) Failed connect to localhost:5223; Connection refused
    -----------end of command 4--------------------

Command 5
-----------------curl -k -v http://localhost:5269/http-bind/------------

  • About to connect() to localhost port 5269 (#0)
  • Trying 127.0.0.1…
  • Connected to localhost (127.0.0.1) port 5269 (#0)

GET /http-bind/ HTTP/1.1
User-Agent: curl/7.29.0
Host: localhost:5269
Accept: /

  • Connection #0 to host localhost left intact
<?xml version='1.0'?>

------------------End of command 5------------

Basically the Ejabber ports that I can see open in the ejabberd.conf are: 5222,5223,5280 as well as 5269

-------- extract from netstat -nlpu-------
netstat -lnptu | egrep "(5222|5269|5280|5223)"
tcp 0 0 0.0.0.0:5269 0.0.0.0:* LISTEN 7782/beam.smp
tcp 0 0 0.0.0.0:5280 0.0.0.0:* LISTEN 7782/beam.smp
tcp 0 0 0.0.0.0:5222 0.0.0.0:* LISTEN 7782/beam.smp

5223 not shown although it is enabled


############# Extract from Ejabberd.conf
{
if ( ${ejabberd}{XMPPAccess} eq ‘tls’ ) {
$OUT .= ’ {5222, ejabberd_c2s, [{access, c2s}, {shaper, c2s_shaper}, starttls_required, {certfile, “/etc/ejabberd/ejabberd.pem”}]},’;
$OUT .= “\n”;
$OUT .= ’ {5223, ejabberd_c2s, [{access, c2s}, tls, {certfile, “/etc/ejabberd/ejabberd.pem”}]}’;
$OUT .= “\n\n”;
}
else {
$OUT .= ’ {5222, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}]},’;
$OUT .= “\n”;
$OUT .= ’ {5223, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, tls, {certfile, “/etc/ejabberd/ejabberd.pem”}]}’;
$OUT .= “\n\n”;
}
}

######################

Hope to find a solution… by the way the ejabber version on NS7 is 16.01 and the current stable ejabber is 16.09 is there a way to upgrade without breaking the setup or NS7 ?

I tried to locate the package nethserver-ejabberd-1.1.2-1.ns7.noarch.rpm with no luck


Finally the file (/etc/httpd/conf.d/ejabberd.conf) is well updated with the following lines:

LoadModule proxy_http_module modules/mod_proxy_http.so

SSLProxyEngine On
+SSLProxyVerify none
+SSLProxyCheckPeerCN off
+SSLProxyCheckPeerName off
+SSLProxyCheckPeerExpire off

ProxyPass /http-bind https://127.0.0.1:5280/http-bind
ProxyPassReverse /http-bind https://127.0.0.1:5280/http-bind


So you would like filter NethServer users and deny Jabber authentication to them? Am I understanding correctly?

@alefattorini it is all about managing the list of displayed users.
This will be collaboration platform
I need to create groups, distribute users across the groups they belong to.
Deny some people from seeing other persons…
The purpose is to have the flexibility to display or hide people , create groups and so on.

I am on the verge of aborting Ejabber, I will try over the weekend openfire.
I see on the forum someone succeeded to make openfire work with NS7 but did not share the Howto procedures.

What I see frustrating is that we are getting a little or no help.

If I succeed I will post a Howto.

Update :
Installed Owncloud on ubuntu + LDAP + Openfire
All is working perfectly fine.

Chat + LDAP + Rosters

The only difference is that the Owncloud (Not nextcloud!!) version I have installed is without encryption not secure!

I explicitly installed Owncloud because I could install it in non secure way access though http only so no https, due to the doubt I had on the security side of Nextcloud and Owncloud.

We use LDAP on Jabber just for authentication, not for manage groups or permissions in Jabber.
That thing isn’t implemented, if you get it to work please let us know.

1 Like

@alefattorini @giacomo I can assure you that with LDAP, openfire , owncloud I have the rosters working as well as the groups

The only Issue I have is sometimes it will not display the members, not sure if from my installation or not.
To solve this I put the user offline then re-login et voila it works.

1 Like

Update, my problem with owncloud and Openfire turned out to be a bug on the XMPP app .

see this post: https://github.com/jsxc/jsxc/issues/384

I installed the latest beta version of OJSXC from https://github.com/owncloud/jsxc.chat/tree/master/build

After loging out of Nextcloud or when I go to “Users” or to “Admin” the
chat icon disappears. The only thig that makes the chat come back is to
log out and log in using the “Log in without chat” option.

I have the same behavior in all versions of OJSXC the difference I
found is that I can log in with the beta version. Previous versions
don’t allow me to log in using “Log in without chat” and I have to
execute jsxc.storage.removeItem(‘sid’); in the console and then I can log in.

You can watch this behavior in this one and a half minute video:

The complete video of that installation is here (20 min aprox.):

1 Like