Jabber - CGP as XMPP server (P.I.T.A.)

(PITA = Pain In The A$$...)

1. Basic Settings

Settings/Real-Time/XMPP/Receiving/Listener (or Settings/Access/XMPP/Listener)

QIP can have problems logging via XMPP (see here<). Go to Users/Domain Defaults/Login Methods and uncheck "NTLM".

2. CGP vs PSI

CommuniGate will not allow PSI to connect via secure connection unless their password encryption is A-crypt. This algorithm is reversible, therefore no one should be ableto read, search or write passwords in clean. We have to disable reading passwords viaLDAP and disable unencrypted LDAP connections.

  • To disable unencrypted LDAP access open the CGP admin interface and go to Settings/Services/LDAP/Listener. Find unencrypted port (5389), set Init SSL/TLS to On and set Remote IP address restrictions to Grant: 10.20.254.254.
  • To prohibit any user from reading the userPassword field, go to Directory/Access Rights and make sure the following rule is the first:
    • Name = HidePas
    • Target = *
    • Bind DN = anyone
    • Type = Prohibit
    • Attribute Reading: userPassword,privateKey
    • Attribute Searching: userPassword,privateKey
  • To guarantee that user password will be A-crypt encrypted, go to Users/Domains/ourdom.com/Account Defaults and set encryption to explicit A-crypt (this advice contradicts to UB-crpt<).
    • TODO:: I have a side evidence that CommuniGate resets this parameter to Default(A-Crypt) after restart, and new user encoding changes. Should be investigated.

3. CGP vs VCARDs

PSI requires the VCARD XMPP extension on server to start without a nag screen. One can use installed ejabberd< instead of Communigate XMPP module. With Pronto getting better every release I think it is time to jump over to the integrated XMPP module although ejabberd is a very powerful jabber server. Attached you will find a working demo setup<.

1. Receive connections on the standard jabber ssl port 5223 and forward?<?< them to the local machine on port 7222. This can be done via stunnel<, a software package that allows you to terminate a SSL connection for application that does not support protocol encryption. The configuartion /etc/stunnel.conf should look like this:

; Protocol settings
sslVersion = all
ciphers = DES-CBC3-SHA

; various settings
chroot = /var/run/stunnel/
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 0
output = /var/log/stunnel.log
syslog = no

; create an xmpps endpoint
[xmpps]
accept = jabber.acme.com:5223
connect = 7222<

2. Create a Perl proxy script< that will capture the VCARD error message from Communigate and replace it with some dummy VCARD stuff. Thanks to David Ljung Madison for his magical template.

3. Start the PERL script so that it will listen on port 7222 and send all requests to your XMPP Jabber port:

./proxy.pl -f 7222 -t jabber.acme.com:5222<

Voila, that's all now you can connect PSI via SSL to port 5223 of your Communigate server. There could be a lot of improvements but better a small start than nothing at all.

4. CGP vs JWchat

Punjab creates http-poll transport for XMPP server incapable of that, such as CGP.

Punjab Python Prerequisites on Fedora 8:

yum -y install python-devel python-twisted<

On RHEL4:

rpm -ivh python-twisted-1.3.0-1.2.el4.rf.(i386|x86_64).rpm<

Download punjab-0.12.tar.gz< from punjab download site< and follow punjab documentation<:

cd /var/www
tar xzf /root/punjab-0.12.tar.gz
mv punjab-0.12 punjab
cd /var/www/punjab
python ./setup.py install
mkdir server
cd server
mktap punjab -b 1 -p 1 -s 1 -x 1 --html_dir=/var/www/punjab/html
twistd -f /var/www/punjab/server/punjab.tap<

For punjab to automatically start on boot download /etc/init.d/punjab.sh<

chkconfig punjab on
service punjab restart
<

 

Вложения