Date: Fri, 30 Mar 2012 13:06:15 +0100 From: Kaya Saman <kayasaman@gmail.com> To: Matthew Seaman <matthew@freebsd.org> Cc: freebsd-ports@freebsd.org Subject: Re: jabberd port doesn't come with any certificates and is not allowing authorization? Message-ID: <CAPj0R5KNvxbJ6Dv=O2rov7PkmF1d6HoK%2B%2BfW-oN_MRHMdgODvw@mail.gmail.com> In-Reply-To: <4F75811F.40205@FreeBSD.org> References: <CAPj0R5%2B9%2BgNR1n8pL6qopGJcMZipZn=b=aR=sP_yY7VFo0q=ew@mail.gmail.com> <4F74800E.6070503@FreeBSD.org> <CAPj0R5%2B1Stoig0SkRfgZyipU-CkiFSUFmQ2p1Ls%2BEzDZFNF%2B-w@mail.gmail.com> <4F75811F.40205@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 30, 2012 at 10:47 AM, Matthew Seaman <matthew@freebsd.org> wrot=
e:
> On 30/03/2012 08:57, Kaya Saman wrote:
>>> You've got both 'register-enable' and 'register-oob' -- you probably
>>> > don't want both of those, unless you do have an out-of-band method to
>>> > create user accounts.
>
>> Actually to allow IM clients to register will be better, though later
>> on when I do a full implementation I will need to authenticate to
>> either PAM or AD.
>
> The point was that 'register-enable' turns on jabberd's internal account
> creation functions, whereas 'register-oob' says to go to a separate site
> in order to create the account.
>
> If you're using a user database from elsewhere (pam or AD for instance),
> then you'ld want neither of those options.
That is for the future though, let me just get the base working in
order to understand what I'm doing then I'll look at further options
for authentication later. :-)
<snip>
>
> =A0cat foo.key foo.crt > foo.pem
>
> =A0 =A0 This is an application specific thing: some apps like key and cer=
t
> =A0 =A0 together like this, others use separate files for key and cert.
I've got this done and referenced it within the c2s.xml file:
[...]
<id realm=3D'jabber.com'
pemfile=3D'/root/cert/server.pem'
verify-mode=3D'7'
cachain=3D'/root/cert/server.pem'
require-starttls=3D'true'
register-enable=3D'true'
instructions=3D'Enter a username and password to register with
this server.'
password-change=3D'true'
>jabber.com</id>
[...]
Is now this portion of the c2s.xml file however, I still get:
[...]
Mar 30 13:55:28 JABBER jabberd/sm[4580]: attempting connection to
router at 127.0.0.1, port=3D5347
Mar 30 13:55:28 JABBER jabberd/router[4579]: [127.0.0.1, port=3D23777] conn=
ect
Mar 30 13:55:28 JABBER jabberd/router[4579]: [127.0.0.1, port=3D19978] conn=
ect
Mar 30 13:55:28 JABBER jabberd/s2s[4581]: connection to router established
Mar 30 13:55:28 JABBER jabberd/router[4579]: [127.0.0.1, port=3D54420]
authenticated as jabberd@jabberd-router
Mar 30 13:55:28 JABBER jabberd/router[4579]: [s2s] set as default route
Mar 30 13:55:28 JABBER jabberd/router[4579]: [s2s] online (bound to
127.0.0.1, port 54420)
Mar 30 13:55:28 JABBER jabberd/c2s[4582]: connection to router established
Mar 30 13:55:28 JABBER jabberd/router[4579]: [127.0.0.1, port=3D23777]
authenticated as jabberd@jabberd-router
Mar 30 13:55:28 JABBER jabberd/router[4579]: [c2s] online (bound to
127.0.0.1, port 23777)
Mar 30 13:55:28 JABBER jabberd/sm[4580]: connection to router established
Mar 30 13:55:28 JABBER jabberd/router[4579]: [127.0.0.1, port=3D19978]
authenticated as jabberd@jabberd-router
Mar 30 13:55:28 JABBER jabberd/router[4579]: [sm] online (bound to
127.0.0.1, port 19978)
Mar 30 13:55:28 JABBER jabberd/sm[4580]: sm ready for sessions
Mar 30 13:55:28 JABBER jabberd/router[4579]: [jabber.com] online
(bound to 127.0.0.1, port 19978)
Mar 30 13:55:28 JABBER jabberd/s2s[4581]: [0.0.0.0, port=3D5269]
listening for connections
Mar 30 13:55:28 JABBER jabberd/s2s[4581]: ready for connections
Mar 30 13:55:28 JABBER jabberd/c2s[4582]: [0.0.0.0, port=3D5222]
listening for connections
Mar 30 13:55:28 JABBER jabberd/c2s[4582]: ready for connections
Mar 30 13:55:42 JABBER jabberd/c2s[4582]: [8] [10.0.0.10, port=3D60660] con=
nect
Mar 30 13:55:42 JABBER jabberd/c2s[4582]: [8] [10.0.0.10, port=3D60660]
disconnect jid=3Dunbound, packets: 0
Mar 30 13:55:45 JABBER jabberd/c2s[4582]: [8] [10.0.0.10, port=3D60661] con=
nect
Mar 30 13:55:45 JABBER jabberd/c2s[4582]: [8] [10.0.0.10, port=3D60661]
disconnect jid=3Dunbound, packets: 0
The IM clients (Pidgin) settings are:
Require Encryption
Connection Port: 5222
Connection Server: srv.jabber.com
Domain: jabber.com
username: <user>
password: <passwd>
local alias: <alias>
The Bind9 DNS zone looks like this:
$TTL 1h ; default expiration time of all resource
records without their own TTL value
@ IN SOA ns1.jabber.com. info.jabber.com. (
2012032802 ; serial number of this zone file
1d ; slave refresh (1 day)
2h ; slave retry time in case of a problem (2 hours)
4w ; slave expiration time (4 weeks)
1h ; maximum caching time in case of failed
lookups (1 hour)
)
;
@ IN NS ns1.jabber.com.
ns1 IN A 10.0.0.1
srv.jabber.com. IN A 10.0.0.7
jabber.com. IN A 10.0.0.7
_xmpp-server._tcp.jabber.com. IN SRV 0 0 5269 srv.jabber.com.
_xmpp-client._tcp.jabber.com. IN SRV 0 0 5222 srv.jabber.com.
_jabber._tcp.jabber.com. IN SRV 0 0 5269 srv.jabber.com.
I'm guessing everything is setup properly but I don't get why the
system isn't connecting?
The jabberd service starts meaning that it's connecting to the MySQL
DB..... and looking at the config files everything else seems to be
ok!
Regards,
Kaya
>
> =A0 =A0 =A0 =A0Cheers,
>
> =A0 =A0 =A0 =A0Matthew
>
> [*] Which just begs the question of "who is this CA and why should I
> trust them to vouch for anyone else?" =A0Well, there's a hierarchy of
> certification authorities. =A0The CA can itself issue a certificate for
> its certificate-signing key that is itself signed by some higher CA
> saying that they are fit and proper people to take that role. =A0And so
> on, ad nauseam. =A0Eventually you get to the top level, so called 'root'
> CAs, which are presumed to be so well known by everyone that you can
> just trust them without further quibble. =A0(Yeah, right.)
>
> --
> Dr Matthew J Seaman MA, D.Phil.
> PGP: http://www.infracaninophile.co.uk/pgpkey
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPj0R5KNvxbJ6Dv=O2rov7PkmF1d6HoK%2B%2BfW-oN_MRHMdgODvw>