mod_shared_roster_ldap - roster populated for users not matching criteria #4423
Description
Environment
- ejabberd version: 24.10
- Erlang version: Erlang (SMP,ASYNC_THREADS) (BEAM) emulator version 14.2.1
- OS: Linux (Gentoo)
- Installed from: distro package
Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml
auth_method:
- ldap
..
ldap_filter: "(objectClass=x-local-users-xmpp)"
ldap_uids:
jid: "%u@%d"
..
mod_shared_roster_ldap:
ldap_useruid: "uid"
ldap_filter: "(&(objectClass=x-local-users-person)(objectClass=x-local-users-xmpp))"
ldap_rfilter: "(objectClass=x-local-domains)"
ldap_ufilter: "(uid=%u)"
ldap_gfilter: "(ou=%g)"
ldap_groupattr: "ou"
ldap_groupdesc: "o"
ldap_memberattr: "uid"
ldap_userdesc: "cn"
...Errors from error.log/crash.log
No errors
Bug description
I am not entirely sure this is a bug, but rather a strange behaviour which I would like to discuss and query what's the best way forward.
I am using LDAP populated with "persons" users and "virtual" users, each of which defined through distinct structural objectClass (x-local-users-person and x-local-users-virtual), while both have in common an auxiliary objectclass x-local-users-xmpp defining whether or not the user has XMPP enabled.
- "person" users:
dn: uid=test1,ou=example.com,dc=local
objectClass: x-local-users-person
objectClass: x-local-users-xmpp
ou: example.com
jid: [email protected]
uid: test1
mail: [email protected]
dn: uid=test2,ou=example.com,dc=local
objectClass: x-local-users-person
objectClass: x-local-users-xmpp
ou: example.com
jid: [email protected]
uid: test2
mail: [email protected]
- "virtual" users:
dn: uid=security,ou=example.com,dc=local
objectClass: x-local-users-virtual
objectClass: x-local-users-xmpp
ou: example.com
jid: [email protected]
uid: security
The context here is that "virtual" users are consulted through some scripting.
While authentication is working like a charm and that "person" users all have a shared roster with user from LDAP containing only x-local-users-person objectclass users, they also all appear in to "virtual" users which is not intended in my use case.
For both users, the IQ looks like:
<iq xmlns="jabber:client" xml:lang="en" to="[email protected]/gajim.6A38SLPL" from="[email protected]" type="result" id="0c9f8e96-b9da-421b-b323-64142ed37d68">
<query ver="1814230e4f96f7d98443b6951a29f2dec1f56fc9" xmlns="jabber:iq:roster">
<item subscription="both" name="Test1" jid="[email protected]">
<group>Test example.com</group>
</item>
<item subscription="both" name="Test2" jid="[email protected]">
<group>Test example.com</group>
</item>
</query>
</iq>While I would be looking to obtain the following for "person" users:
<iq xmlns="jabber:client" xml:lang="en" to="[email protected]/gajim.6A38SLPL" from="[email protected]" type="result" id="0c9f8e96-b9da-421b-b323-64142ed37d68">
<query ver="1814230e4f96f7d98443b6951a29f2dec1f56fc9" xmlns="jabber:iq:roster">
<item subscription="both" name="Test1" jid="[email protected]">
<group>Test example.com</group>
</item>
<item subscription="both" name="Test2" jid="[email protected]">
<group>Test example.com</group>
</item>
</query>
</iq>And the following for "virtual" users:
<iq xmlns="jabber:client" xml:lang="en" to="[email protected]/gajim.6A38SLPL" from="[email protected]" type="result" id="0c9f8e96-b9da-421b-b323-64142ed37d68">
<query ver="1814230e4f96f7d98443b6951a29f2dec1f56fc9" xmlns="jabber:iq:roster">
</query>
</iq>What's the best way to get around this outside of creating dedicated domain for those "virtual" users ?
Thanks,
Bertrand