|
ejabberd is a free and open source instant messaging server written in Erlang/OTP.
ejabberd is cross-platform, distributed, fault-tolerant, and based on open standards to achieve real-time communication.
ejabberd is designed to be a rock-solid and feature rich XMPP server.
ejabberd is suitable for small deployments, whether they need to be scalable or not, as well as extremely big deployments.
ejabberd is:
Moreover, ejabberd comes with a wide range of other state-of-the-art features:
Probably the easiest way to install an ejabberd instant messaging server is using the binary installer published by ProcessOne. The binary installers of released ejabberd versions are available in the ProcessOne ejabberd downloads page: http://www.process-one.net/en/ejabberd/downloads
The installer will deploy and configure a full featured ejabberd server and does not require any extra dependencies.
In *nix systems, remember to set executable the binary installer before starting it. For example:
chmod +x ejabberd-2.0.0_1-linux-x86-installer.bin ./ejabberd-2.0.0_1-linux-x86-installer.bin
ejabberd can be started manually at any time, or automatically by the operating system at system boot time.
To start and stop ejabberd manually, use the desktop shortcuts created by the installer. If the machine doesn’t have a graphical system, use the scripts ’start’ and ’stop’ in the ’bin’ directory where ejabberd is installed.
The Windows installer also adds ejabberd as a system service, and a shortcut to a debug console for experienced administrators. If you want ejabberd to be started automatically at boot time, go to the Windows service settings and set ejabberd to be automatically started. Note that the Windows service is a feature still in development, and for example it doesn’t read the file ejabberdctl.cfg.
On a *nix system, if you want ejabberd to be started as daemon at boot time, copy ejabberd.init from the ’bin’ directory to something like /etc/init.d/ejabberd (depending on your distribution). Create a system user called ejabberd, give it write access to the directories database/ and logs/, and set that as home; the script will start the server with that user. Then you can call /etc/inid.d/ejabberd start as root to start the server.
When ejabberd is started, the processes that are started in the system are beam or beam.smp, and also epmd. In Microsoft Windows, the processes are erl.exe and epmd.exe. For more information regarding epmd consult the section 5.2.
If ejabberd doesn’t start correctly in Windows, try to start it using the shortcut in desktop or start menu. If the window shows error 14001, the solution is to install: "Microsoft Visual C++ 2005 SP1 Redistributable Package". You can download it from www.microsoft.com. Then uninstall ejabberd and install it again.
If ejabberd doesn’t start correctly and a crash dump is generated, there was a severe problem. You can try starting ejabberd with the script bin/live.bat in Windows, or with the command bin/ejabberdctl live in other Operating Systems. This way you see the error message provided by Erlang and can identify what is exactly the problem.
The ejabberdctl administration script is included in the bin directory. Please refer to the section 4.1 for details about ejabberdctl, and configurable options to fine tune the Erlang runtime system.
Some Operating Systems provide a specific ejabberd package adapted to the system architecture and libraries. It usually also checks dependencies and performs basic configuration tasks like creating the initial administrator account. Some examples are Debian and Gentoo. Consult the resources provided by your Operating System for more information.
Usually those packages create a script like /etc/init.d/ejabberd to start and stop ejabberd as a service at boot time.
CEAN (Comprehensive Erlang Archive Network) is a repository that hosts binary packages from many Erlang programs, including ejabberd and all its dependencies. The binaries are available for many different system architectures, so this is an alternative to the binary installer and Operating System’s ejabberd packages.
You will have to create your own ejabberd start script depending of how you handle your CEAN installation. The default ejabberdctl script is located into ejabberd’s priv directory and can be used as an example.
The canonical form for distribution of ejabberd stable releases is the source code package. Compiling ejabberd from source code is quite easy in *nix systems, as long as your system have all the dependencies.
To compile ejabberd on a ‘Unix-like’ operating system, you need:
Released versions of ejabberd are available in the ProcessOne ejabberd downloads page: http://www.process-one.net/en/ejabberd/downloads
Alternatively, the latest development source code can be retrieved from the Git repository using the commands:
git clone git://github.com/processone/ejabberd.git ejabberd cd ejabberd git checkout -b 2.1.x origin/2.1.x
To compile ejabberd execute the commands:
./configure make
The build configuration script allows several options. To get the full list run the command:
./configure --help
Some options that you may be interested in modifying:
To install ejabberd in the destination directories, run the command:
make install
Note that you probably need administrative privileges in the system to install ejabberd.
The files and directories created are, by default:
You can use the ejabberdctl command line administration script to start and stop ejabberd. If you provided the configure option --enable-user=USER (see 2.4.3), you can execute ejabberdctl with either that system account or root.
Usage example:
ejabberdctl start ejabberdctl status The node ejabberd@localhost is started with status: started ejabberd is running in that node ejabberdctl stop
If ejabberd doesn’t start correctly and a crash dump is generated, there was a severe problem. You can try starting ejabberd with the command ejabberdctl live to see the error message provided by Erlang and can identify what is exactly the problem.
Please refer to the section 4.1 for details about ejabberdctl, and configurable options to fine tune the Erlang runtime system.
If you want ejabberd to be started as daemon at boot time, copy ejabberd.init to something like /etc/init.d/ejabberd (depending on your distribution). Create a system user called ejabberd; it will be used by the script to start the server. Then you can call /etc/inid.d/ejabberd start as root to start the server.
The command to compile ejabberd in BSD systems is:
gmake
You need to have GNU install, but it isn’t included in Solaris. It can be easily installed if your Solaris system is set up for blastwave.org package repository. Make sure /opt/csw/bin is in your PATH and run:
pkg-get -i fileutils
If that program is called ginstall, modify the ejabberd Makefile script to suit your system, for example:
cat Makefile | sed s/install/ginstall/ > Makefile.gi
And finally install ejabberd with:
gmake -f Makefile.gi ginstall
To compile ejabberd on a Microsoft Windows system, you need:
We assume that we will try to put as much library as possible into C:\sdk\
to make it easier to track what is install for ejabberd.
C:\sdk\erl5.5.5
).
C:\sdk\Expat-2.0.0
directory.Copy file C:\sdk\Expat-2.0.0\Libs\libexpat.dll
to your Windows system directory (for example, C:\WINNT
or
C:\WINNT\System32
)
C:\sdk\GnuWin32
.Copy file C:\sdk\GnuWin32\bin\lib*.dll
to your
Windows system directory (more installation instructions can be found in the
file README.woe32 in the iconv distribution).
Note: instead of copying libexpat.dll and iconv.dll to the Windows
directory, you can add the directories
C:\sdk\Expat-2.0.0\Libs
and
C:\sdk\GnuWin32\bin
to the PATH
environment
variable.
C:\sdk\OpenSSL
and add C:\sdk\OpenSSL\lib\VC
to your path or copy the binaries to your system directory.
C:\sdk\gnuWin32
. Copy
C:\sdk\GnuWin32\bin\zlib1.dll
to your system directory. If you change your path it should already be set after libiconv install.
set PATH=%PATH%;"C:\sdk\erl5.6.5\bin"
ejabberd\src
run:
configure.bat nmake -f Makefile.win32
ejabberd\src\ejabberd.yml
and run
werl -s ejabberd -name ejabberd
You need an XMPP account and grant him administrative privileges to enter the ejabberd Web Admin:
acl: admin: user: - "admin1": "example.org" access: configure: admin: allowYou can grant administrative privileges to many XMPP accounts, and also to accounts in other XMPP servers.
http://server:port/admin/
) in your
favourite browser. Make sure to enter the full JID as username (in this
example: admin1@example.org. The reason that you also need to enter the
suffix, is because ejabberd’s virtual hosting support.
To upgrade an ejabberd installation to a new version, simply uninstall the old version, and then install the new one. Of course, it is important that the configuration file and Mnesia database spool directory are not removed.
ejabberd automatically updates the Mnesia table definitions at startup when needed. If you also use an external database for storage of some modules, check if the release notes of the new ejabberd version indicates you need to also update those tables.
The configuration file will be loaded the first time you start ejabberd. The configuration file name MUST have “.yml” extension. This helps ejabberd to differentiate between the new and legacy file formats (see section 3.1.1).
Note that ejabberd never edits the configuration file.
The configuration file is written in YAML. However, different scalars are treated as different types:
atom()
in this document.
Examples: dog
, 'Jupiter'
, '3.14159'
, YELLOW
.
integer()
, float()
or,
if both are allowed, number()
.
Examples: 3
, -45.0
, .0
string()
.
Examples of a double-quoted string:
"Lizzard"
, "orange"
, "3.14159"
.
Examples of a folded string:
> Art thou not Romeo, and a Montague?
| Neither, fair saint, if either thee dislike.For associative arrays ("mappings") and lists you can use both outline indentation and compact syntax (aka “JSON style”). For example, the following is equivalent:
{param1: ["val1", "val2"], param2: ["val3", "val4"]}and
param1: - "val1" - "val2" param2: - "val3" - "val4"Note that both styles are used in this document.
In previous ejabberd version the configuration file should be written in Erlang terms. The format is still supported, but it is highly recommended to convert it to the new YAML format using convert_to_yaml command from ejabberdctl (see 4.1 and 4.2.1 for details).
The option hosts defines a list containing one or more domains that ejabberd will serve.
The syntax is:
Examples:
hosts: ["example.org"]
hosts: - "example.net" - "example.com" - "jabber.somesite.org"
Options can be defined separately for every virtual host using the host_config option.
The syntax is:
Examples:
host_config: "example.net" auth_method: internal "example.com": auth_method: ldap ldap_servers: - "localhost" ldap_uids: - "uid" ldap_rootdn: "dc=localdomain" ldap_rootdn: "dc=example,dc=com" ldap_password: ""
host_config: "example.net": auth_method: odbc odbc_type: odbc odbc_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd" "example.com": auth_method: ldap ldap_servers: - "localhost" - "otherhost" ldap_uids: - "uid" ldap_rootdn: "dc=localdomain" ldap_rootdn: "dc=example,dc=com" ldap_password: ""
To define specific ejabberd modules in a virtual host, you can define the global modules option with the common modules, and later add specific modules to certain virtual hosts. To accomplish that, instead of defining each option in host_config use append_host_config with the same syntax.
In this example three virtual hosts have some similar modules, but there are also other different modules for some specific virtual hosts:
## This ejabberd server has three vhosts: hosts: - "one.example.org" - "two.example.org" - "three.example.org" ## Configuration of modules that are common to all vhosts modules: mod_roster: {} mod_configure: {} mod_disco: {} mod_private: {} mod_time: {} mod_last: {} mod_version: {} ## Add some modules to vhost one: append_host_config: "one.example.org": modules: mod_echo: host: "echo-service.one.example.org" mod_http_bind: {} mod_logxml: {} ## Add a module just to vhost two: append_host_config: "two.example.org": modules: mod_echo: host: "mirror.two.example.org"
The option listen defines for which ports, addresses and network protocols ejabberd will listen and what services will be run on them. Each element of the list is an associative array with the following elements:
The option syntax is:
Example:
listen: - port: 5222 module: ejabberd_c2s starttls: true certfile: "/path/to/certfile.pem" - port: 5269 module: ejabberd_s2s_in transport: tcp
The port number defines which port to listen for incoming connections. It can be a Jabber/XMPP standard port (see section 5.1) or any other valid port number.
The IP address can be represented as a string. The socket will listen only in that network interface. It is possible to specify a generic address, so ejabberd will listen in all addresses. Depending in the type of the IP address, IPv4 or IPv6 will be used. When not specified the IP address, it will listen on all IPv4 network addresses.
Some example values for IP address:
"0.0.0.0"
to listen in all IPv4 network interfaces. This is the default value when no IP is specified.
"::"
to listen in all IPv6 network interfaces
"10.11.12.13"
is the IPv4 address 10.11.12.13
"::FFFF:127.0.0.1"
is the IPv6 address ::FFFF:127.0.0.1/128
The transport protocol can be tcp or udp. Default is tcp.
The available modules, their purpose and the options allowed by each one are:
This is a detailed description of each option allowed by the listening modules:
openssl ciphers
’ command.
"no_sslv2"
Remember that you must also install and enable the module mod_http_bind.
If HTTP Bind is enabled, it will be available at
http://server:port/http-bind/
. Be aware that support for HTTP Bind
is also needed in the XMPP client. Remark also that HTTP Bind can be
interesting to host a web-based XMPP client such as
JWChat
(check the tutorials to install JWChat with ejabberd and an
embedded local web server
or Apache).
If HTTP Polling is enabled, it will be available at
http://server:port/http-poll/
. Be aware that support for HTTP Polling
is also needed in the XMPP client. Remark also that HTTP Polling can be
interesting to host a web-based XMPP client such as
JWChat.
The maximum period of time to keep a client session active without
an incoming POST request can be configured with the global option
http_poll_timeout. The default value is five minutes.
The option can be defined in ejabberd.yml, expressing the time
in seconds: {http_poll_timeout, 300}.
{max_stanza_size, 65536}
. The default
value is infinity. Recommended values are 65536 for c2s
connections and 131072 for s2s connections. s2s max stanza size
must always much higher than c2s limit. Change this value with
extreme care as it can cause unwanted disconnect if set too low.
request_handlers: /"a"/"b": mod_foo /"http-bind": mod_http_bind
http://server:port/admin/
. Login and password are the username and
password of one of the registered users who are granted access by the
‘configure’ access rule.
There are some additional global options that can be specified in the ejabberd configuration file (outside listen):
openssl ciphers
’ command.
"no_sslv2"
For example, the following simple configuration defines:
hosts: - "example.com" - "example.org" - "example.net" listen: - port: 5222 module: ejabberd_c2s access: c2s shaper: c2s_shaper starttls: true certfile: "/etc/ejabberd/server.pem" max_stanza_size: 65536 - port: 5223 module: ejabberd_c2s access: c2s shaper: c2s_shaper tls: true certfile: "/etc/ejabberd/server.pem" max_stanza_size: 65536 - port: 5269 ip: "::" module: ejabberd_s2s_in shaper: s2s_shaper max_stanza_size: 131072 - port: 3478 transport: udp module: ejabberd_stun - port: 5280 module: ejabberd_http http_poll: true - port: 5281 ip: "127.0.0.1" module: ejabberd_http web_admin: true http_bind: true tls: true certfile: "/etc/ejabberd/server.pem" s2s_use_starttls: optional s2s_certfile: "/etc/ejabberd/server.pem" host_config: "example.com": domain_certfile: "/etc/ejabberd/example_com.pem" outgoing_s2s_families: - ipv4 - ipv6 outgoing_s2s_timeout: 10000
In this example, the following configuration defines that:
acl: blocked: user: "bad" trusted_servers: server: - "example.com" - "jabber.example.org" xmlrpc_bot: user: - "xmlrpc-robot": "example.org" shaper: normal: 1000 access: c2s: blocked: deny all: allow c2s_shaper: admin: none all: normal xmlrpc_access: xmlrpc_bot: allow s2s_access: trusted_servers: allow all: deny s2s_certfile: "/path/to/ssl.pem" s2s_policy: s2s_access s2s_use_starttls: required_trusted listen: - port: 5222 module: ejabberd_c2s shaper: c2s_shaper access: c2s - ip: "192.168.0.1" port: 5223 module: ejabberd_c2s certfile: "/path/to/ssl.pem" tls: true access: c2s - ip: "FDCA:8AB6:A243:75EF::1" port: 5223 module: ejabberd_c2s certfile: "/path/to/ssl.pem" tls: true access: c2s - port: 5269 module: ejabberd_s2s_in - port: 5280 module: ejabberd_http web_admin: true http_poll: true - port: 4560 module: ejabberd_xmlrpc - ip: "127.0.0.1" port: 5233 module: ejabberd_service hosts: "aim.example.org": password: "aimsecret" - ip: "::1" port: 5233 module: ejabberd_service hosts: "aim.example.org": password: "aimsecret" - port: 5234 module: ejabberd_service hosts: "icq.example.org": password: "jitsecret" "sms.example.org": password: "jitsecret" - port: 5235 module: ejabberd_service hosts: "msn.example.org": password: "msnsecret" - port: 5236 module: ejabberd_service hosts: "yahoo.example.org": password: "yahoosecret" - port: 5237 module: ejabberd_service hosts: "gg.example.org": password: "ggsecret" - port: 5238 module: ejabberd_service hosts: "jmc.example.org": password: "jmcsecret" - port: 5239 module: ejabberd_service service_check_from: false hosts: "custom.example.org": password: "customsecret"
Note, that for services based in jabberd14 or WPJabber you have to make the transports log and do XDB by themselves:
<!-- You have to add elogger and rlogger entries here when using ejabberd. In this case the transport will do the logging. --> <log id='logger'> <host/> <logtype/> <format>%d: [%t] (%h): %s</format> <file>/var/log/jabber/service.log</file> </log> <!-- Some XMPP server implementations do not provide XDB services (for example, jabberd2 and ejabberd). xdb_file.so is loaded in to handle all XDB requests. --> <xdb id="xdb"> <host/> <load> <!-- this is a lib of wpjabber or jabberd14 --> <xdb_file>/usr/lib/jabber/xdb_file.so</xdb_file> </load> <xdb_file xmlns="jabber:config:xdb_file"> <spool><jabberd:cmdline flag='s'>/var/spool/jabber</jabberd:cmdline></spool> </xdb_file> </xdb>
The option auth_method defines the authentication methods that are used for user authentication. The syntax is:
The following authentication methods are supported by ejabberd:
Account creation is only supported by internal, external and odbc methods.
The option resource_conflict defines the action when a client attempts to login to an account with a resource that is already connected. The option syntax is:
The possible values match exactly the three possibilities described in XMPP Core: section 7.7.2.2. The default value is closeold. If the client uses old Jabber Non-SASL authentication (XEP-0078), then this option is not respected, and the action performed is closeold.
The option fqdn allows you to define the Fully Qualified Domain Name of the machine, in case it isn’t detected automatically. The FQDN is used to authenticate some clients that use the DIGEST-MD5 SASL mechanism. The option syntax is:
ejabberd uses its internal Mnesia database as the default authentication method. The value internal will enable the internal authentication method.
The option auth_password_format: plain|scram defines in what format the users passwords are stored:
Examples:
host_config: "example.org": auth_method: [internal] "example.net": auth_method: [ldap]
auth_method: internal auth_password_format: scram
In this authentication method, when ejabberd starts, it start a script, and calls it to perform authentication tasks.
The server administrator can write the external authentication script in any language. The details on the interface between ejabberd and the script are described in the ejabberd Developers Guide. There are also several example authentication scripts.
These are the specific options:
This example sets external authentication, the extauth script, enables caching for 10 minutes, and starts three instances of the script for each virtual host defined in ejabberd:
auth_method: [external] extauth_program: "/etc/ejabberd/JabberAuth.class.php" extauth_cache: 600 extauth_instances: 3
The anonymous authentication method enables two modes for anonymous authentication:
The anonymous authentication method can be configured with the following options. Remember that you can use the host_config option to set virtual host specific options (see section 3.1.3).
Those options are defined for each virtual host with the host_config parameter (see section 3.1.3).
Examples:
auth_method: [anonymous] anonymous_protocol: login_anon
host_config: "public.example.org": auth_method: [anonymous] anonymous_protoco: login_anon
host_config: "public.example.org": auth_method: - internal - anonymous anonymous_protocol: login_anon
host_config: "public.example.org": auth_method: [anonymous] anonymous_protocol: sasl_anon
host_config: "public.example.org": auth_method: [anonymous] anonymous_protocol: both
host_config: "public.example.org": auth_method: - internal - anonymous anonymous_protocol: both
There are more configuration examples and XMPP client example stanzas in Anonymous users support.
ejabberd supports authentication via Pluggable Authentication Modules (PAM). PAM is currently supported in AIX, FreeBSD, HP-UX, Linux, Mac OS X, NetBSD and Solaris. PAM authentication is disabled by default, so you have to configure and compile ejabberd with PAM support enabled:
./configure --enable-pam && make install
Options:
Example:
auth_method: [pam] pam_service: "ejabberd"
Though it is quite easy to set up PAM support in ejabberd, PAM itself introduces some security issues:
/var/lib/ejabberd/priv/bin/
directory. You have to set it root on execution in the case when your PAM module
requires root privileges (pam_unix.so for example). Also you have to grant access
for ejabberd to this file and remove all other permissions from it.
Execute with root privileges:
chown root:ejabberd /var/lib/ejabberd/priv/bin/epam chmod 4750 /var/lib/ejabberd/priv/bin/epam
#%PAM-1.0 auth sufficient pam_unix.so likeauth nullok nodelay account sufficient pam_unix.soThat is not a ready to use configuration file: you must use it as a hint when building your own PAM configuration instead. Note that if you want to disable delays on authentication failures in the PAM configuration file, you have to restrict access to this file, so a malicious user can’t use your configuration to perform brute-force attacks.
Access control in ejabberd is performed via Access Control Lists (ACLs). The declarations of ACLs in the configuration file have the following syntax:
ACLType: ACLValue can be one of the following:
acl: world: all
acl: admin: user: "yozhik"
acl: admin: user: "yozhik": "example.org"
acl: exampleorg: server: "example.org"
acl: mucklres: resource: "muckl"
acl: techgroupmembers: shared_group: "techteam"
acl: techgroupmembers: shared_group: "techteam": "example.org"
acl: loopback: ip: - "127.0.0.0/8" - "::"
acl: tests: user_regexp: "^test[0-9]*$"
acl: tests: user_regexp: "^test": "example.org"
acl: icq: server_regexp: "^icq\\."
acl: icq: resource_regexp: "^laptop\\."
acl: yozhik: node_regexp: "^yozhik$": "^example.(com|org)$"
The following ACLName are pre-defined:
An entry allowing or denying access to different services. The syntax is:
When a JID is checked to have access to Accessname, the server sequentially checks if that JID matches any of the ACLs that are named in the first elements of the tuples in the list. If it matches, the second element of the first matched tuple is returned, otherwise the value ‘deny’ is returned.
If you define specific Access rights in a virtual host, remember that the globally defined Access rights have precedence over those. This means that, in case of conflict, the Access granted or denied in the global server is used and the Access of a virtual host doesn’t have effect.
Example:
access: configure: admin: allow something badmans: deny all: allow
The following AccessName are pre-defined:
The special access max_user_sessions specifies the maximum number of sessions (authenticated connections) per user. If a user tries to open more sessions by using different resources, the first opened session will be disconnected. The error session replaced will be sent to the disconnected session. The value for this option can be either a number, or infinity. The default value is infinity.
The syntax is:
This example limits the number of sessions per user to 5 for all users, and to 10 for admins:
access: max_user_sessions: admin: 10 all: 5
The special access max_s2s_connections specifies how many simultaneous S2S connections can be established to a specific remote XMPP server. The default value is 1. There’s also available the access max_s2s_connections_per_node.
The syntax is:
Examples:
access: max_s2s_connections: all: 3
Shapers enable you to limit connection traffic. The syntax is:
where Rate stands for the maximum allowed incoming rate in bytes per second. When a connection exceeds this limit, ejabberd stops reading from the socket until the average rate is again below the allowed maximum.
Examples:
shaper: normal: 1000
shaper: fast: 50000
The option language defines the default language of server strings that can be seen by XMPP clients. If a XMPP client does not support xml:lang, the specified language is used.
The option syntax is:
The default value is en. In order to take effect there must be a translation file Language.msg in ejabberd’s msgs directory.
For example, to set Russian as default language:
language: "ru"
Appendix A provides more details about internationalization and localization.
Some ejabberd modules can be configured to require a CAPTCHA challenge on certain actions. If the client does not support CAPTCHA Forms (XEP-0158), a web link is provided so the user can fill the challenge in a web browser.
An example script is provided that generates the image using ImageMagick’s Convert program.
The configurable options are:
Additionally, an ejabberd_http listener must be enabled with the captcha option. See section 3.1.4.
Example configuration:
hosts: ["example.org"] captcha_cmd: "/lib/ejabberd/priv/bin/captcha.sh" captcha_host: "example.org:5280" ## captcha_host: "https://example.org:443" ## captcha_host: "http://example.com" listen: ... - port: 5280 module: ejabberd_http captcha: true ...
ejabberd is able to act as a stand-alone STUN/TURN server (RFC 5389/RFC 5766). In that role ejabberd helps clients with ICE (RFC 5245) or Jingle ICE (XEP-0176) support to discover their external addresses and ports and to relay media traffic when it is impossible to establish direct peer-to-peer connection.
You should configure ejabberd_stun listening module as described in 3.1.4 section. The specific configurable options are:
Example configuration with disabled TURN functionality (STUN only):
listen: ... - port: 3478 transport: udp module: ejabberd_stun - port: 3478 module: ejabberd_stun - port: 5349 module: ejabberd_stun certfile: "/etc/ejabberd/server.pem" ...
Example configuration with TURN functionality. Note that STUN is always enabled if TURN is enabled. Here, only UDP section is shown:
listen: ... - port: 3478 transport: udp use_turn: true turn_ip: 10.20.30.1 module: ejabberd_stun ...
You also need to configure DNS SRV records properly so clients can easily discover a STUN/TURN server serving your XMPP domain. Refer to section DNS Discovery of a Server of RFC 5389 and section Creating an Allocation of RFC 5766 for details.
Example DNS SRV configuration for STUN only:
_stun._udp IN SRV 0 0 3478 stun.example.com. _stun._tcp IN SRV 0 0 3478 stun.example.com. _stuns._tcp IN SRV 0 0 5349 stun.example.com.
And you should also add these in the case if TURN is enabled:
_turn._udp IN SRV 0 0 3478 turn.example.com. _turn._tcp IN SRV 0 0 3478 turn.example.com. _turns._tcp IN SRV 0 0 5349 turn.example.com.
ejabberd has built-in SIP support. In order to activate it you need to add listeners for it, configure DNS properly and enable mod_sip for the desired virtual host.
To add a listener you should configure ejabberd_sip listening module as described in 3.1.4 section. If option tls is specified, option certfile must be specified as well, otherwise incoming TLS connections would fail.
Example configuration with standard ports (as per RFC 3261):
listen: ... - port: 5060 transport: udp module: ejabberd_sip - port: 5060 module: ejabberd_sip - port: 5061 module: ejabberd_sip tls: true certfile: "/etc/ejabberd/server.pem" ...
Note that there is no StartTLS support in SIP and SNI support is somewhat tricky, so for TLS you have to configure different virtual hosts on different ports if you have different certificate files for them.
Next you need to configure DNS SIP records for your virtual domains. Refer to RFC 3263 for the detailed explanation. Simply put, you should add NAPTR and SRV records for your domains. Skip NAPTR configuration if your DNS provider doesn’t support this type of records. It’s not fatal, however, highly recommended.
Example configuration of NAPTR records:
example.com IN NAPTR 10 0 "s" "SIPS+D2T" "" _sips._tcp.example.com. example.com IN NAPTR 20 0 "s" "SIP+D2T" "" _sip._tcp.example.com. example.com IN NAPTR 30 0 "s" "SIP+D2U" "" _sip._udp.example.com.
Example configuration of SRV records with standard ports (as per RFC 3261):
_sip._udp IN SRV 0 0 5060 sip.example.com. _sip._tcp IN SRV 0 0 5060 sip.example.com. _sips._tcp IN SRV 0 0 5061 sip.example.com.
The option include_config_file in a configuration file instructs ejabberd to include other configuration files immediately.
The basic syntax is:
It is possible to specify suboptions using the full syntax:
The filename can be indicated either as an absolute path, or relative to the main ejabberd configuration file. It isn’t possible to use wildcards. The file must exist and be readable.
The allowed suboptions are:
This is a basic example:
include_config_file: "/etc/ejabberd/additional.yml"
In this example, the included file is not allowed to contain a listen option. If such an option is present, the option will not be accepted. The file is in a subdirectory from where the main configuration file is.
include_config_file: "./example.org/additional_not_listen.yml": disallow: [listen]
In this example, ejabberd.yml defines some ACL and Access rules, and later includes another file with additional rules:
acl: admin: user: - "admin": "localhost" access: announce: admin: allow include_config_file: "/etc/ejabberd/acl_and_access.yml": allow_only: - acl - access
and content of the file acl_and_access.yml can be, for example:
acl: admin: user: - "bob": "localhost" - "jan": "localhost"
In the ejabberd configuration file, it is possible to define a macro for a value and later use this macro when defining an option.
A macro is defined with this syntax:
The MACRO must be surrounded by single quotation marks, and all letters in uppercase; check the examples bellow. The value can be any valid arbitrary Erlang term.
The first definition of a macro is preserved, and additional definitions of the same macro are forgotten.
Macros are processed after additional configuration files have been included, so it is possible to use macros that are defined in configuration files included before the usage.
It isn’t possible to use a macro in the definition of another macro.
This example shows the basic usage of a macro:
define_macro: 'LOG_LEVEL_NUMBER': 5 loglevel: 'LOG_LEVEL_NUMBER'
The resulting option interpreted by ejabberd is: loglevel: 5.
This example shows that values can be any arbitrary Erlang term:
define_macro: 'USERBOB': user: - "bob": "localhost" acl: admin: 'USERBOB'
The resulting option interpreted by ejabberd is:
acl: admin: user: - "bob": "localhost"
This complex example:
define_macro: 'NUMBER_PORT_C2S': 5222 'NUMBER_PORT_HTTP': 5280 listen: - port: 'NUMBER_PORT_C2S' module: ejabberd_c2s - port: 'NUMBER_PORT_HTTP' module: ejabberd_http
produces this result after being interpreted:
listen: - port: 5222 module: ejabberd_c2s - port: 5280 module: ejabberd_http
ejabberd uses its internal Mnesia database by default. However, it is possible to use a relational database, key-value storage or an LDAP server to store persistent, long-living data. ejabberd is very flexible: you can configure different authentication methods for different virtual hosts, you can configure different authentication mechanisms for the same virtual host (fallback), you can set different storage systems for modules, and so forth.
The following databases are supported by ejabberd:
The following LDAP servers are tested with ejabberd:
Important note about virtual hosting: if you define several domains in ejabberd.yml (see section 3.1.2), you probably want that each virtual host uses a different configuration of database, authentication and storage, so that usernames do not conflict and mix between different virtual hosts. For that purpose, the options described in the next sections must be set inside a host_config for each vhost (see section 3.1.3). For example:
host_config: "public.example.org": odbc_type: pgsql odbc_server: "localhost" odbc_database: "database-public-example-org" odbc_username: "ejabberd" odbc_password: "password" auth_method: [odbc]
The actual database access is defined in the options with odbc_ prefix. The values are used to define if we want to use ODBC, or one of the two native interface available, PostgreSQL or MySQL.
The following paramaters are available:
Example of plain ODBC connection:
odbc_server: "DSN=database;UID=ejabberd;PWD=password"
Example of MySQL connection:
odbc_type: mysql odbc_server: "server.company.com" odbc_port: 3306 # the default odbc_database: "mydb" odbc_username: "user1" odbc_password: "**********" odbc_pool_size: 5
An ODBC compatible database also can be used to store information into from several ejabberd modules. See section 3.3.1 to see which modules can be used with relational databases like MySQL. To enable storage to your database, just make sure that your database is running well (see previous sections), and add the module option db_type: odbc.
ejabberd has built-in LDAP support. You can authenticate users against LDAP server and use LDAP directory as vCard storage.
Usually ejabberd treats LDAP as a read-only storage: it is possible to consult data, but not possible to create accounts or edit vCard that is stored in LDAP. However, it is possible to change passwords if mod_register module is enabled and LDAP server supports RFC 3062.
Two connections are established to the LDAP server per vhost, one for authentication and other for regular calls.
Parameters:
Example:
auth_method: [ldap] ldap_servers: - "ldap1.example.org" ldap_port: 389 ldap_rootdn: "cn=Manager,dc=domain,dc=org" ldap_password: "**********"
You can authenticate users against an LDAP directory. Note that current LDAP implementation does not support SASL authentication.
Available options are:
ldap_dn_filter: "(&(name=%s)(owner=%D)(user=%u@%d))": ["sn"]Since this filter makes additional LDAP lookups, use it only in the last resort: try to define all filter rules in ldap_filter if possible.
{ldap_local_filter, {notequal, {"accountStatus",["disabled"]}}}. {ldap_local_filter, {equal, {"accountStatus",["enabled"]}}}. {ldap_local_filter, undefined}.
Let’s say ldap.example.org is the name of our LDAP server. We have users with their passwords in "ou=Users,dc=example,dc=org" directory. Also we have addressbook, which contains users emails and their additional infos in "ou=AddressBook,dc=example,dc=org" directory. The connection to the LDAP server is encrypted using TLS, and using the custom port 6123. Corresponding authentication section should looks like this:
## Authentication method auth_method: [ldap] ## DNS name of our LDAP server ldap_servers: ["ldap.example.org"] ## Bind to LDAP server as "cn=Manager,dc=example,dc=org" with password "secret" ldap_rootdn: "cn=Manager,dc=example,dc=org" ldap_password: "secret" ldap_encrypt: tls ldap_port: 6123 ## Define the user's base ldap_base: "ou=Users,dc=example,dc=org" ## We want to authorize users from 'shadowAccount' object class only ldap_filter: "(objectClass=shadowAccount)"
Now we want to use users LDAP-info as their vCards. We have four attributes defined in our LDAP schema: "mail" — email address, "givenName" — first name, "sn" — second name, "birthDay" — birthday. Also we want users to search each other. Let’s see how we can set it up:
modules: ... mod_vcard_ldap: ## We use the same server and port, but want to bind anonymously because ## our LDAP server accepts anonymous requests to ## "ou=AddressBook,dc=example,dc=org" subtree. ldap_rootdn: "" ldap_password: "" ## define the addressbook's base ldap_base: "ou=AddressBook,dc=example,dc=org" ## uidattr: user's part of JID is located in the "mail" attribute ## uidattr_format: common format for our emails ldap_uids: "mail": "%u@mail.example.org" ## We have to define empty filter here, because entries in addressbook does not ## belong to shadowAccount object class ldap_filter: "" ## Now we want to define vCard pattern ldap_vcard_map: "NICKNAME": {"%u": []} # just use user's part of JID as his nickname "GIVEN": {"%s": ["givenName"]} "FAMILY": {"%s": ["sn"]} "FN": {"%s, %s": ["sn", "givenName"]}, # example: "Smith, John" "EMAIL": {"%s": ["mail"]} "BDAY": {"%s": ["birthDay"]}]} ## Search form ldap_search_fields: "User": "%u" "Name": "givenName" "Family Name": "sn" "Email": "mail" "Birthday": "birthDay" ## vCard fields to be reported ## Note that JID is always returned with search results ldap_search_reported: "Full Name": "FN" "Nickname": "NICKNAME" "Birthday": "BDAY" ...
Note that mod_vcard_ldap module checks for the existence of the user before searching in his information in LDAP.
Active Directory is just an LDAP-server with predefined attributes. A sample configuration is shown below:
auth_method: [ldap] ldap_servers: ["office.org"] # List of LDAP servers ldap_base: "DC=office,DC=org" # Search base of LDAP directory ldap_rootdn: "CN=Administrator,CN=Users,DC=office,DC=org" # LDAP manager ldap_password: "*******" # Password to LDAP manager ldap_uids: ["sAMAccountName"] ldap_filter: "(memberOf=*)" modules: ... mod_vcard_ldap: ldap_vcard_map: "NICKNAME": {"%u", []} "GIVEN": {"%s", ["givenName"]} "MIDDLE": {"%s", ["initials"]} "FAMILY": {"%s", ["sn"]} "FN": {"%s", ["displayName"]} "EMAIL": {"%s", ["mail"]} "ORGNAME": {"%s", ["company"]} "ORGUNIT": {"%s", ["department"]} "CTRY": {"%s", ["c"]} "LOCALITY": {"%s", ["l"]} "STREET": {"%s", ["streetAddress"]} "REGION": {"%s", ["st"]} "PCODE": {"%s", ["postalCode"]} "TITLE": {"%s", ["title"]} "URL": {"%s", ["wWWHomePage"]} "DESC": {"%s", ["description"]} "TEL": {"%s", ["telephoneNumber"]}]} ldap_search_fields: "User": "%u" "Name": "givenName" "Family Name": "sn" "Email": "mail" "Company": "company" "Department": "department" "Role": "title" "Description": "description" "Phone": "telephoneNumber" ldap_search_reported: "Full Name": "FN" "Nickname": "NICKNAME" "Email": "EMAIL" ...
Riak is a distributed NoSQL key-value data store. The actual database access is defined in the options with riak_ prefix.
The following paramaters are available:
Example configuration:
riak_server: "riak.server.com" riak_port: 9097
Several ejabberd modules can be used to store information in Riak database. Refer to the corresponding module documentation to see if it supports such ability. To enable storage to Riak database, just make sure that your database is running well (see the next section), and add the module option db_type: riak.
First, you need to configure Riak to use LevelDB as a database backend.
If you are using Riak 2.x and higher, configure storage_backend option of /etc/riak/riak.conf as follows:
... storage_backend = leveldb ...
If you are using Riak 1.4.x and older, configure storage_backend option of /etc/riak/app.config in the section riak_kv as follows:
... {riak_kv, [ ... {storage_backend, riak_kv_eleveldb_backend}, ...
Second, Riak should be pointed to ejabberd Erlang binary files (*.beam). As described in 2.4.4, by default those are located in /lib/ejabberd/ebin directory. So you should add the following to /etc/riak/vm.args:
... ## Path to ejabberd beams in order to make map/reduce -pz /lib/ejabberd/ebin ...
Important notice: make sure Riak has at least read access to that directory. Otherwise its startup will likely fail.
The option modules defines the list of modules that will be loaded after ejabberd’s startup. Each entry in the list is a tuple in which the first element is the name of a module and the second is a list of options for that module.
The syntax is:
Examples:
modules: mod_echo: {}
modules: mod_echo: {} mod_time: {} mod_version: {}
The following table lists all modules included in ejabberd.
Module Feature Dependencies mod_adhoc Ad-Hoc Commands (XEP-0050) mod_announce Manage announcements recommends mod_adhoc mod_blocking Simple Communications Blocking (XEP-0191) mod_privacy mod_caps Entity Capabilities (XEP-0115) mod_carboncopy Message Carbons (XEP-0280) mod_configure Server configuration using Ad-Hoc mod_adhoc mod_disco Service Discovery (XEP-0030) mod_echo Echoes XMPP stanzas mod_http_bind XMPP over Bosh service (HTTP Binding) mod_http_fileserver Small HTTP file server mod_irc IRC transport mod_last Last Activity (XEP-0012) mod_muc Multi-User Chat (XEP-0045) mod_muc_log Multi-User Chat room logging mod_muc mod_offline Offline message storage (XEP-0160) mod_ping XMPP Ping and periodic keepalives (XEP-0199) mod_pres_counter Detect presence subscription flood mod_privacy Blocking Communication (XEP-0016) mod_private Private XML Storage (XEP-0049) mod_proxy65 SOCKS5 Bytestreams (XEP-0065) mod_pubsub Pub-Sub (XEP-0060), PEP (XEP-0163) mod_caps mod_pubsub_odbc Pub-Sub (XEP-0060), PEP (XEP-0163) supported DB (*) and mod_caps mod_register In-Band Registration (XEP-0077) mod_register_web Web for Account Registrations mod_roster Roster management (XMPP IM) mod_service_log Copy user messages to logger service mod_shared_roster Shared roster management mod_roster mod_shared_roster_ldap LDAP Shared roster management mod_roster mod_sic Server IP Check (XEP-0279) mod_sip SIP Registrar/Proxy (RFC 3261) ejabberd_sip mod_stats Statistics Gathering (XEP-0039) mod_time Entity Time (XEP-0202) mod_vcard vcard-temp (XEP-0054) mod_vcard_ldap vcard-temp (XEP-0054) LDAP server mod_vcard_xupdate vCard-Based Avatars (XEP-0153) mod_vcard mod_version Software Version (XEP-0092)
You can see which database backend each module needs by looking at the suffix:
You can find more contributed modules on the ejabberd website. Please remember that these contributions might not work or that they can contain severe bugs and security leaks. Therefore, use them at your own risk!
The following options are used by many modules. Therefore, they are described in this separate section.
Many modules define handlers for processing IQ queries of different namespaces to this server or to a user (e. g. to example.org or to user@example.org). This option defines processing discipline for these queries.
The syntax is:
Possible Value are:
Example:
modules: ... mod_time: iqdisc: no_queue ...
This option defines the Jabber ID of a service provided by an ejabberd module.
The syntax is:
If you include the keyword "@HOST@" in the HostName, it is replaced at start time with the real virtual host string.
This example configures the echo module to provide its echoing service in the Jabber ID mirror.example.org:
modules: ... mod_echo: host: "mirror.example.org" ...
However, if there are several virtual hosts and this module is enabled in all of them, the "@HOST@" keyword must be used:
modules: ... mod_echo: host: "mirror.@HOST@" ...
This module enables configured users to broadcast announcements and to set the message of the day (MOTD). Configured users can perform these actions with a XMPP client either using Ad-hoc commands or sending messages to specific JIDs.
The Ad-hoc commands are listed in the Server Discovery. For this feature to work, mod_adhoc must be enabled.
The specific JIDs where messages can be sent are listed bellow. The first JID in each entry will apply only to the specified virtual host example.org, while the JID between brackets will apply to all virtual hosts in ejabberd.
Options:
Examples:
access: announce: admin: allow modules: ... mod_adhoc: {} mod_announce: access: announce ...
acl: direction: user: "big_boss": "example.org" "assistant": "example.org" admin: user: "admin": "example.org" access: announce: admin: allow direction: allow modules: ... mod_adhoc: {} mod_announce: access: announce ...
Note that mod_announce can be resource intensive on large deployments as it can broadcast lot of messages. This module should be disabled for instances of ejabberd with hundreds of thousands users.
This module adds support for Service Discovery (XEP-0030). With this module enabled, services on your server can be discovered by XMPP clients. Note that ejabberd has no modules with support for the superseded Jabber Browsing (XEP-0011) and Agent Information (XEP-0094). Accordingly, XMPP clients need to have support for the newer Service Discovery protocol if you want them be able to discover the services you offer.
Options:
Examples:
modules: ... mod_disco: extra_domains: ["users.jabber.org"] ...
modules: ... mod_disco: extra_domains: - "icq.example.com" - "msn.example.com" ...
modules: ... mod_disco: extra_domains: - "example.org" - "example.com" ...
modules: ... mod_disco: server_info: - modules: all name: "abuse-addresses" urls: ["mailto:abuse@shakespeare.lit"] - modules: [mod_muc] name: "Web chatroom logs" urls: ["http://www.example.org/muc-logs"] - modules: [mod_disco] name: "feedback-addresses" urls: - "http://shakespeare.lit/feedback.php" - "mailto:feedback@shakespeare.lit" - "xmpp:feedback@shakespeare.lit" - modules: - mod_disco - mod_vcard name: "admin-addresses" urls: - "mailto:xmpp@shakespeare.lit" - "xmpp:admins@shakespeare.lit" ...
This module simply echoes any XMPP packet back to the sender. This mirror can be of interest for ejabberd and XMPP client debugging.
Options:
Example: Mirror, mirror, on the wall, who is the most beautiful of them all?
modules: ... mod_echo: host: "mirror.example.org" ...
This module implements XMPP over Bosh (formerly known as HTTP Binding) as defined in XEP-0124 and XEP-0206. It extends ejabberd’s built in HTTP service with a configurable resource at which this service will be hosted.
To use HTTP-Binding, enable the module:
modules: ... mod_http_bind: {} ...
and add http_bind
in the HTTP service. For example:
listen: ... - port: 5280 module: ejabberd_http http_bind: true http_poll: true web_admin: true ...
With this configuration, the module will serve the requests sent to
http://example.org:5280/http-bind/
Remember that this page is not designed to be used by web browsers,
it is used by XMPP clients that support XMPP over Bosh.
If you want to set the service in a different URI path or use a different module,
you can configure it manually using the option request_handlers
.
For example:
listen: ... - port: 5280 module: ejabberd_http request_handlers: "/http-bind": mod_http_bind http_poll: true web_admin: true ...
Options:
modules: ... mod_http_bind: max_inactivity: 50 ...
This simple module serves files from the local disk over HTTP.
Options:
This example configuration will serve the files from
the local directory /var/www
in the address http://example.org:5280/pub/archive/
.
In this example a new content type ogg is defined,
png is redefined, and jpg definition is deleted.
To use this module you must enable it:
modules: ... mod_http_fileserver: docroot: "/var/www" accesslog: "/var/log/ejabberd/access.log" directory_indices: - "index.html" - "main.htm" custom_headers: "X-Powered-By": "Erlang/OTP" "X-Fry": "It's a widely-believed fact!" content_types: ".ogg": "audio/ogg" ".png": "image/png" ".jpg": undefined default_content_type: "text/html" ...
And define it as a handler in the HTTP service:
listen: ... - port: 5280 module: ejabberd_http request_handlers: ... "/pub/archive": mod_http_fileserver ... ...
This module is an IRC transport that can be used to join channels on IRC servers.
End user information:
Options:
Examples:
modules: ... mod_irc: access: all default_encoding: "iso8859-15" ...
acl: paying_customers: user: - "customer1": "example.org" - "customer2": "example.org" server: "example.com" access: irc_users: paying_customers: allow all: deny modules: ... mod_irc: access: irc_users host: "irc.example.net" ...
This module adds support for Last Activity (XEP-0012). It can be used to discover when a disconnected user last accessed the server, to know when a connected user was last active on the server, or to query the uptime of the ejabberd server.
Options:
This module provides a Multi-User Chat (XEP-0045) service. Users can discover existing rooms, join or create them. Occupants of a room can chat in public or have private chats.
Some of the features of Multi-User Chat:
The MUC service allows any Jabber ID to register a nickname, so nobody else can use that nickname in any room in the MUC service. To register a nickname, open the Service Discovery in your XMPP client and register in the MUC service.
This module supports clustering and load balancing. One module can be started per cluster node. Rooms are distributed at creation time on all available MUC module instances. The multi-user chat module is clustered but the rooms themselves are not clustered nor fault-tolerant: if the node managing a set of rooms goes down, the rooms disappear and they will be recreated on an available node on first connection attempt.
Module options:
Examples:
acl: admin: user: - "admin": "example.org" access: muc_admin: admin: allow modules: ... mod_muc: access: all access_create: all access_admin: muc_admin history_size: 0 ...
acl: paying_customers: user: - "customer1": "example.net" - "customer2": "example.com" - "customer3": "example.org" admin: user: - "admin": "example.org" access: muc_admin admin: allow all: deny muc_access: paying_customers: allow admin: allow all: deny modules: ... mod_muc: access: muc_access access_create: muc_admin access_admin: muc_admin ...
modules: ... mod_muc: min_message_interval: 0.4 min_presence_interval: 4 max_room_id: 20 max_room_name: 20 max_room_desc: 300 ...
modules: ... mod_muc: access: muc_access access_create: muc_admin default_room_options: allow_change_subj: false allow_query_users: true allow_private_messages: true members_by_default: false title: "New chatroom" anonymous: false access_admin: muc_admin ...
This module enables optional logging of Multi-User Chat (MUC) public conversations to HTML. Once you enable this module, users can join a room using a MUC capable XMPP client, and if they have enough privileges, they can request the configuration form in which they can set the option to enable room logging.
Features:
Options:
Examples:
<a href="http://www.jabber.ru/">Jabber.ru</a>
.
access: muc: all: allow modules: ... mod_muc_log: access_log: muc cssfile: "http://example.com/my.css" dirtype: plain dirname: room_jid outdir: "/var/www/muclogs" timezone: universal spam_prevention: true top_link: "http://www.jabber.ru/": "Jabber.ru" ...
<a href="/">Home</a>
.
acl: admin: user: - "admin1": "example.org" - "admin2": "example.net" access: muc_log: admin: allow all: deny modules: ... mod_muc_log: access_log: muc_log cssfile: false dirtype: subdirs file_permissions: mode: 644 group: 33 outdir: "/var/www/muclogs" timezone: local ...
This module implements offline message storage (XEP-0160). This means that all messages sent to an offline user will be stored on the server until that user comes online again. Thus it is very similar to how email works. Note that ejabberdctl has a command to delete expired messages (see section 4.1).
This example allows power users to have as much as 5000 offline messages, administrators up to 2000, and all the other users up to 100.
acl: admin: user: - "admin1": "localhost" - "admin2": "example.org" poweruser: user: - "bob": "example.org" - "jane": "example.org" access: max_user_offline_messages: poweruser: 5000 admin: 2000 all: 100 modules: ... mod_offline: access_max_user_messages: max_user_offline_messages ...
This module implements support for XMPP Ping (XEP-0199) and periodic keepalives. When this module is enabled ejabberd responds correctly to ping requests, as defined in the protocol.
Configuration options:
This example enables Ping responses, configures the module to send pings to client connections that are inactive for 4 minutes, and if a client does not answer to the ping in less than 32 seconds, its connection is closed:
modules: ... mod_ping: send_pings: true ping_interval: 240 timeout_action: kill ...
This module detects flood/spam in presence subscription stanza traffic. If a user sends or receives more of those stanzas in a time interval, the exceeding stanzas are silently dropped, and warning is logged.
Configuration options:
This example enables the module, and allows up to 5 presence subscription stanzas to be sent or received by the users in 60 seconds:
modules: ... mod_pres_counter: count: 5 interval: 60 ...
This module implements Blocking Communication (also known as Privacy Rules) as defined in section 10 from XMPP IM. If end users have support for it in their XMPP client, they will be able to:
(from http://xmpp.org/rfcs/rfc3921.html#privacy)
- Retrieving one’s privacy lists.
- Adding, removing, and editing one’s privacy lists.
- Setting, changing, or declining active lists.
- Setting, changing, or declining the default list (i.e., the list that is active by default).
- Allowing or blocking messages based on JID, group, or subscription type (or globally).
- Allowing or blocking inbound presence notifications based on JID, group, or subscription type (or globally).
- Allowing or blocking outbound presence notifications based on JID, group, or subscription type (or globally).
- Allowing or blocking IQ stanzas based on JID, group, or subscription type (or globally).
- Allowing or blocking all communications based on JID, group, or subscription type (or globally).
Options:
This module adds support for Private XML Storage (XEP-0049):
Using this method, XMPP entities can store private data on the server and retrieve it whenever necessary. The data stored might be anything, as long as it is valid XML. One typical usage for this namespace is the server-side storage of client-specific preferences; another is Bookmark Storage (XEP-0048).
Options:
This module implements SOCKS5 Bytestreams (XEP-0065). It allows ejabberd to act as a file transfer proxy between two XMPP clients.
Options:
"127.0.0.1"
.
Examples:
modules: ... mod_proxy65: {} ...
acl: admin: user: - "admin": "example.org" proxy_users: server: - "example.org" access: proxy65_access: proxy_users: allow all: deny proxy65_shaper: admin: none proxy_users: proxyrate shaper: proxyrate: 10240 modules: ... mod_proxy65: host: "proxy1.example.org" name: "File Transfer Proxy" ip: "200.150.100.1" port: 7778 max_connections: 5 access: proxy65_access shaper: proxy65_shaper ...
This module offers a Publish-Subscribe Service (XEP-0060). The functionality in mod_pubsub can be extended using plugins. The plugin that implements PEP (Personal Eventing via Pubsub) (XEP-0163) is enabled in the default ejabberd configuration file, and it requires mod_caps.
Options:
The "virtual" nodetree does not store nodes on database. This saves resources on systems with tons of nodes. If using the "virtual" nodetree, you can only enable those node plugins: ["flat","pep"] or ["flat"]; any other plugins configuration will not work. Also, all nodes will have the defaut configuration, and this can not be changed. Using "virtual" nodetree requires to start from a clean database, it will not work if you used the default "tree" nodetree before.
The "dag" nodetree provides experimental support for PubSub Collection Nodes (XEP-0248). In that case you should also add "dag" node plugin as default, for example: plugins: ["dag","flat","hometree","pep"]
modules: ... mod_pubsub: pep_mapping: "http://jabber.org/protocol/tune": "tune" ...
Example of configuration that uses flat nodes as default, and allows use of flat, nodetree and pep nodes:
modules: ... mod_pubsub: access_createnode: pubsub_createnode plugins: - "flat" - "hometree" - "pep" ...
Using ODBC database requires using mod_pubsub_odbc without option changes. Only flat, hometree and pep plugins supports ODBC. The following example shows previous configuration with ODBC usage:
modules: ... mod_pubsub_odbc: access_createnode: pubsub_createnode plugins: - "flat" - "hometree" - "pep" ...
This module adds support for In-Band Registration (XEP-0077). This protocol enables end users to use a XMPP client to:
Options:
This module reads also another option defined globally for the server: registration_timeout: Timeout. This option limits the frequency of registration from a given IP or username. So, a user that tries to register a new account from the same IP address or JID during this number of seconds after his previous registration will receive an error resource-constraint with the explanation: “Users are not allowed to register accounts so quickly”. The timeout is expressed in seconds, and it must be an integer. To disable this limitation, instead of an integer put a word like: infinity. Default value: 600 seconds.
Examples:
acl: loopback: ip: - "127.0.0.0/8" - "::" shortname: user_glob: - "?" - "??" ## The same using regexp: ##user_regexp: "^..?$" access: mynetworks: loopback: allow all: deny register: shortname: deny all: allow modules: mod_register: ip_access: mynetworks access: register
access: register: all: deny modules: ... mod_register: access: register ...
modules: ... ## mod_register: ## access: register ...
registration_timeout: 3600 modules: ... mod_register: welcome_message: subject: "Welcome!" body: |- Hi. Welcome to this Jabber server. Check http://www.jabber.org Bye registration_watchers: - "admin1@example.org" - "boss@example.net" ...
This module provides a web page where people can:
This module supports CAPTCHA image to register a new account. To enable this feature, configure the options captcha_cmd and captcha_host.
Options:
This example configuration shows how to enable the module and the web handler:
hosts: - "localhost" - "example.org" - "example.com" listen: ... - port: 5281 module: ejabberd_http register: true certfile: "/etc/ejabberd/certificate.pem" tls: true ... modules: ... mod_register_web: {} ...
For example, the users of the host example.org can visit the page: https://example.org:5281/register/ It is important to include the last / character in the URL, otherwise the subpages URL will be incorrect.
This module implements roster management as defined in RFC 3921: XMPP IM. It also supports Roster Versioning (XEP-0237).
Options:
This example configuration enables Roster Versioning with storage of current id. The ICQ and MSN transports can get ICQ and MSN contacts, add them, or remove them for any local account:
modules: ... mod_roster: versioning: true store_current_id: true managers: - "icq.example.org" - "msn.example.org" ...
With this example configuration, only admins can manage their rosters; everybody else cannot modify the roster:
acl: admin: user: - "sarah": "example.org" access: roster: admin: allow modules: ... mod_roster: access: roster ...
This module adds support for logging end user packets via a XMPP message
auditing service such as
Bandersnatch. All user
packets are encapsulated in a <route/>
element and sent to the specified
service(s).
Options:
Examples:
modules: ... mod_service_log: loggers: ["bandersnatch.example.com"] ...
modules: ... mod_service_log: loggers: - "bandersnatch.example.com" - "bandersnatch.example.org" ...
This module enables you to create shared roster groups. This means that you can create groups of people that can see members from (other) groups in their rosters. The big advantages of this feature are that end users do not need to manually add all users to their rosters, and that they cannot permanently delete users from the shared roster groups. A shared roster group can have members from any XMPP server, but the presence will only be available from and to members of the same virtual host where the group is created.
Options:
Shared roster groups can be edited only via the Web Admin. Each group has a unique identification and the following parameters:
Examples:
Identification Group ‘club_members’ Name Club Members Description Members from the computer club Members
member1@example.org member2@example.org member3@example.org Displayed groups club_members
Identification Group ‘management’ Group ‘marketing’ Group ‘sales’ Name Management Marketing Sales Description Members
manager1@example.org manager2@example.org manager3@example.org manager4@example.org
marketeer1@example.org marketeer2@example.org marketeer3@example.org marketeer4@example.org
saleswoman1@example.org salesman1@example.org saleswoman2@example.org salesman2@example.org Displayed groups
management marketing sales
management marketing
management sales
This module lets the server administrator automatically populate users’ rosters (contact lists) with entries based on users and groups defined in an LDAP-based directory.
The module accepts the following configuration parameters. Some of them, if unspecified, default to the values specified for the top level of configuration. This lets you avoid specifying, for example, the bind password, in multiple places.
These parameters specify LDAP filters used to query for shared roster information.
All of them are run against the ldap_base
.
ldap_groupattr
parameter.
If unspecified, defaults to the top-level parameter of the same name.
You must specify it in some place in the configuration, there is no default.ldap_userdesc
and ldap_useruid
.
If unspecified, defaults to the top-level parameter of the same name.
If that one also is unspecified, then the filter is assembled from values of
other parameters as follows ([ldap_SOMETHING]
is used to mean “the
value of the configuration parameter ldap_SOMETHING”):(&(&([ldap_memberattr]=[ldap_memberattr_format])([ldap_groupattr]=%g))[ldap_filter])
Subsequently %u and %g are replaced with a *. This means
that given the defaults, the filter sent to the LDAP server is would be
(&(memberUid=*)(cn=*))
. If however the ldap_memberattr_format
is something like uid=%u,ou=People,o=org
, then the filter will be
(&(memberUid=uid=*,ou=People,o=org)(cn=*))
.
ldap_groupattr
, ldap_groupdesc
and ldap_memberattr
.
If unspecified, defaults to the top-level parameter of the same name.
If that one also is unspecified, then the filter is constructed exactly in the
same way as User Filter.Note that you will probably need to manually define the User and Group Filters (since the auto-assembled ones will not work) if:
An example where it is the case is OpenLDAP and (unique)MemberName attribute from the groupOf(Unique)Names objectClass. A symptom of this problem is that you will see messages such as the following in your slapd.log:
get_filter: unknown filter type=130 filter="(&(?=undefined)(?=undefined)(something=else))"
These parameters specify the names of the attributes which hold interesting data in the entries returned by running filters specified in section 3.3.24.
The name of the attribute differs depending on the objectClass you use for your group objects, for example:
These paramters control the behaviour of the module.
ldap_memberattr
.
Defaults to %u, which means that the whole value is the member ID. If
you change it to something different, you may also need to specify the User
and Group Filters manually — see section 3.3.24.ldap_memberattr
.An example value "CN=(\\w*),(OU=.*,)*DC=company,DC=com" works for user IDs such as the following:
In case:
then instead of a regular expression, a simple format specified by ldap_memberattr_format is used. Also, in the last two cases an error message is logged during the module initialization.
Also, note that in all cases ldap_memberattr_format (and not the regex version) is used for constructing the default “User/Group Filter” — see section 3.3.24.
The module also accepts the connection parameters, all of which default to the top-level parameter of the same name, if unspecified. See 3.2.2 for more information about them.
When the module is called to retrieve the shared roster for a user, the following algorithm is used:
This step is here for historical reasons. If you have a tidy DIT and properly defined “Roster Filter” and “Group Filter”, it is safe to disable it by setting ldap_auth_check to off — it will speed up the roster retrieval.
Since there are many possible DIT layouts, it will probably be easiest to understand how to configure the module by looking at an example for a given DIT (or one resembling it).
This seems to be the kind of DIT for which this module was initially designed. Basically there are just user objects, and group membership is stored in an attribute individually for each user. For example in a layout shown in figure 3.1, the group of each user is stored in its ou attribute.
Such layout has a few downsides, including:
This however seems to be a common DIT layout, so the module keeps supporting it. You can use the following configuration…
modules: ... mod_shared_roster_ldap: ldap_base: "ou=flat,dc=nodomain" ldap_rfilter: "(objectClass=inetOrgPerson)" ldap_groupattr: "ou" ldap_memberattr: "cn" ldap_filter: "(objectClass=inetOrgPerson)" ldap_userdesc: "displayName" ...
…to be provided with a roster as shown in figure 3.2 upon connecting as user czesio.
This type of DIT contains distinctly typed objects for users and groups – see figure 3.3. They are shown separated into different subtrees, but it’s not a requirement.
If you use the following example module configuration with it:
modules: ... mod_shared_roster_ldap: ldap_base: "ou=deep,dc=nodomain" ldap_rfilter: "(objectClass=groupOfUniqueNames)" ldap_filter: "" ldap_gfilter: "(&(objectClass=groupOfUniqueNames)(cn=%g))" ldap_groupdesc: "description" ldap_memberattr: "uniqueMember" ldap_memberattr_format: "cn=%u,ou=people,ou=deep,dc=nodomain" ldap_ufilter: "(&(objectClass=inetOrgPerson)(cn=%u))" ldap_userdesc: "displayName" ...
…and connect as user czesio, then ejabberd will provide you with the roster shown in figure 3.4.
This module adds support for Server IP Check (XEP-0279). This protocol enables a client to discover its external IP address.
Options:
This module adds SIP proxy/registrar support for the corresponding virtual host. Note that it is not enough to just load this module only. You should also configure listeners and DNS records properly. See section 3.1.11 for the full explanation.
Example configuration:
modules: ... mod_sip: {} ...
Options:
Example complex configuration:
modules: ... mod_sip: always_record_route: false record_route: sip:example.com;lr routes: - sip:example.com;lr - sip:sip.example.com;lr flow_timeout_udp: 30 flow_timeout_tcp: 130 via: - type: tls host: "sip-tls.example.com" port: 5061 - type: tcp host: "sip-tcp.example.com" port: 5060 - type: udp host: "sip-udp.example.com" port: 5060 ...
This module adds support for Statistics Gathering (XEP-0039). This protocol allows you to retrieve next statistics from your ejabberd deployment:
Options:
As there are only a small amount of clients (for example Tkabber) and software libraries with support for this XEP, a few examples are given of the XML you need to send in order to get the statistics. Here they are:
<iq to='example.org' type='get'> <query xmlns='http://jabber.org/protocol/stats'> <stat name='users/online'/> </query> </iq>
<iq to='example.org' type='get'> <query xmlns='http://jabber.org/protocol/stats'> <stat name='users/all-hosts/total'/> </query> </iq>
This module features support for Entity Time (XEP-0202). By using this XEP, you are able to discover the time at another entity’s location.
Options:
This module allows end users to store and retrieve their vCard, and to retrieve other users vCards, as defined in vcard-temp (XEP-0054). The module also implements an uncomplicated Jabber User Directory based on the vCards of these users. Moreover, it enables the server to send its vCard when queried.
Options:
Examples:
modules: ... mod_vcard: search: true matches: 20 allow_return_all: true search_all_hosts: false ...
modules: ... mod_vcard: search: true matches: infinity allow_return_all: true ...
ejabberd can map LDAP attributes to vCard fields. This behaviour is implemented in the mod_vcard_ldap module. This module does not depend on the authentication method (see 3.2.2).
Usually ejabberd treats LDAP as a read-only storage: it is possible to consult data, but not possible to create accounts or edit vCard that is stored in LDAP. However, it is possible to change passwords if mod_register module is enabled and LDAP server supports RFC 3062.
The mod_vcard_ldap module has its own optional parameters. The first group of parameters has the same meaning as the top-level LDAP parameters to set the authentication method: ldap_servers, ldap_port, ldap_rootdn, ldap_password, ldap_base, ldap_uids, ldap_deref_aliases and ldap_filter. See section 3.2.2 for detailed information about these options. If one of these options is not set, ejabberd will look for the top-level option with the same name.
The second group of parameters consists of the following mod_vcard_ldap-specific options:
[{"NICKNAME", "%u", []}, {"FN", "%s", ["displayName"]}, {"LAST", "%s", ["sn"]}, {"FIRST", "%s", ["givenName"]}, {"MIDDLE", "%s", ["initials"]}, {"ORGNAME", "%s", ["o"]}, {"ORGUNIT", "%s", ["ou"]}, {"CTRY", "%s", ["c"]}, {"LOCALITY", "%s", ["l"]}, {"STREET", "%s", ["street"]}, {"REGION", "%s", ["st"]}, {"PCODE", "%s", ["postalCode"]}, {"TITLE", "%s", ["title"]}, {"URL", "%s", ["labeleduri"]}, {"DESC", "%s", ["description"]}, {"TEL", "%s", ["telephoneNumber"]}, {"EMAIL", "%s", ["mail"]}, {"BDAY", "%s", ["birthDay"]}, {"ROLE", "%s", ["employeeType"]}, {"PHOTO", "%s", ["jpegPhoto"]}]
[{"User", "%u"}, {"Full Name", "displayName"}, {"Given Name", "givenName"}, {"Middle Name", "initials"}, {"Family Name", "sn"}, {"Nickname", "%u"}, {"Birthday", "birthDay"}, {"Country", "c"}, {"City", "l"}, {"Email", "mail"}, {"Organization Name", "o"}, {"Organization Unit", "ou"}]
[{"Full Name", "FN"}, {"Given Name", "FIRST"}, {"Middle Name", "MIDDLE"}, {"Family Name", "LAST"}, {"Nickname", "NICKNAME"}, {"Birthday", "BDAY"}, {"Country", "CTRY"}, {"City", "LOCALITY"}, {"Email", "EMAIL"}, {"Organization Name", "ORGNAME"}, {"Organization Unit", "ORGUNIT"}]
Examples:
Let’s say ldap.example.org is the name of our LDAP server. We have users with their passwords in "ou=Users,dc=example,dc=org" directory. Also we have addressbook, which contains users emails and their additional infos in "ou=AddressBook,dc=example,dc=org" directory. Corresponding authentication section should looks like this:
%% authentication method {auth_method, ldap}. %% DNS name of our LDAP server {ldap_servers, ["ldap.example.org"]}. %% We want to authorize users from 'shadowAccount' object class only {ldap_filter, "(objectClass=shadowAccount)"}.
Now we want to use users LDAP-info as their vCards. We have four attributes defined in our LDAP schema: "mail" — email address, "givenName" — first name, "sn" — second name, "birthDay" — birthday. Also we want users to search each other. Let’s see how we can set it up:
{modules, ... {mod_vcard_ldap, [ %% We use the same server and port, but want to bind anonymously because %% our LDAP server accepts anonymous requests to %% "ou=AddressBook,dc=example,dc=org" subtree. {ldap_rootdn, ""}, {ldap_password, ""}, %% define the addressbook's base {ldap_base, "ou=AddressBook,dc=example,dc=org"}, %% uidattr: user's part of JID is located in the "mail" attribute %% uidattr_format: common format for our emails {ldap_uids, [{"mail","%u@mail.example.org"}]}, %% We have to define empty filter here, because entries in addressbook does not %% belong to shadowAccount object class {ldap_filter, ""}, %% Now we want to define vCard pattern {ldap_vcard_map, [{"NICKNAME", "%u", []}, % just use user's part of JID as his nickname {"FIRST", "%s", ["givenName"]}, {"LAST", "%s", ["sn"]}, {"FN", "%s, %s", ["sn", "givenName"]}, % example: "Smith, John" {"EMAIL", "%s", ["mail"]}, {"BDAY", "%s", ["birthDay"]}]}, %% Search form {ldap_search_fields, [{"User", "%u"}, {"Name", "givenName"}, {"Family Name", "sn"}, {"Email", "mail"}, {"Birthday", "birthDay"}]}, %% vCard fields to be reported %% Note that JID is always returned with search results {ldap_search_reported, [{"Full Name", "FN"}, {"Nickname", "NICKNAME"}, {"Birthday", "BDAY"}]} ]} ... }.
Note that mod_vcard_ldap module checks an existence of the user before searching his info in LDAP.
{ldap_vcard_map, [{"NICKNAME", "%u", []}, {"FN", "%s", ["displayName"]}, {"CTRY", "Russia", []}, {"EMAIL", "%u@%d", []}, {"DESC", "%s\n%s", ["title", "description"]} ]},
{ldap_search_fields, [{"User", "uid"}, {"Full Name", "displayName"}, {"Email", "mail"} ]},
{ldap_search_reported, [{"Full Name", "FN"}, {"Email", "EMAIL"}, {"Birthday", "BDAY"}, {"Nickname", "NICKNAME"} ]},
The user’s client can store an avatar in the user vCard. The vCard-Based Avatars protocol (XEP-0153) provides a method for clients to inform the contacts what is the avatar hash value. However, simple or small clients may not implement that protocol.
If this module is enabled, all the outgoing client presence stanzas get automatically the avatar hash on behalf of the client. So, the contacts receive the presence stanzas with the Update Data described in XEP-0153 as if the client would had inserted it itself. If the client had already included such element in the presence stanza, it is replaced with the element generated by ejabberd.
By enabling this module, each vCard modification produces a hash recalculation, and each presence sent by a client produces hash retrieval and a presence stanza rewrite. For this reason, enabling this module will introduce a computational overhead in servers with clients that change frequently their presence.
Options:
This module implements Software Version (XEP-0092). Consequently, it answers ejabberd’s version when queried.
Options:
With the ejabberdctl command line administration script you can execute ejabberdctl commands (described in the next section, 4.1.1) and also many general ejabberd commands (described in section 4.2). This means you can start, stop and perform many other administrative tasks in a local or remote ejabberd server (by providing the argument --node NODENAME).
The ejabberdctl script can be configured in the file ejabberdctl.cfg. This file includes detailed information about each configurable option. See section 4.1.2.
The ejabberdctl script returns a numerical status code. Success is represented by 0, error is represented by 1, and other codes may be used for specific results. This can be used by other scripts to determine automatically if a command succeeded or failed, for example using: echo $?
If you use Bash, you can get Bash completion by copying the file tools/ejabberdctl.bc to the directory /etc/bash_completion.d/ (in Debian, Ubuntu, Fedora and maybe others).
When ejabberdctl is executed without any parameter, it displays the available options. If there isn’t an ejabberd server running, the available parameters are:
If there is an ejabberd server running in the system, ejabberdctl shows the ejabberdctl commands described bellow and all the ejabberd commands available in that server (see 4.2.1).
The ejabberdctl commands are:
The ejabberdctl script can be restricted to require authentication and execute some ejabberd commands; see 4.2.2. Add the option to the file ejabberd.yml. In this example there is no restriction:
ejabberdctl_access_commands: []
If account robot1@example.org is registered in ejabberd with password abcdef (which MD5 is E8B501798950FC58AAD83C8C14978E), and ejabberd.yml contains this setting:
{hosts, ["example.org"]}. {acl, bots, {user, "robot1", "example.org"}}. {access, ctlaccess, [{allow, bots}]}. {ejabberdctl_access_commands, [ {ctlaccess, [registered_users, register], []} ]}.
then you can do this in the shell:
$ ejabberdctl registered_users example.org Error: no_auth_provided $ ejabberdctl --auth robot1 example.org abcdef registered_users example.org robot1 testuser1 testuser2
ejabberd is an Erlang/OTP application that runs inside an Erlang runtime system. This system is configured using environment variables and command line parameters. The ejabberdctl administration script uses many of those possibilities. You can configure some of them with the file ejabberdctl.cfg, which includes detailed description about them. This section describes for reference purposes all the environment variables and command line parameters.
The environment variables:
The command line parameters:
Note that some characters need to be escaped when used in shell scripts, for instance "
and {}
.
You can find other options in the Erlang manual page (erl -man erl).
An ejabberd command is an abstract function identified by a name, with a defined number and type of calling arguments and type of result that is registered in the ejabberd_commands service. Those commands can be defined in any Erlang module and executed using any valid frontend.
ejabberd includes two frontends to execute ejabberd commands: the script ejabberdctl (4.1) and the ejabberd_xmlrpc listener (3.1.4). Other known frontends that can be installed to execute ejabberd commands in different ways are: mod_rest (HTTP POST service), mod_shcommands (ejabberd WebAdmin page).
ejabberd includes a few ejabberd Commands by default. When more modules are installed, new commands may be available in the frontends.
The easiest way to get a list of the available commands, and get help for them is to use the ejabberdctl script:
$ ejabberdctl help Usage: ejabberdctl [--node nodename] [--auth user host password] command [options] Available commands in this ejabberd node: backup file Store the database to backup file connected_users List all established sessions connected_users_number Get the number of established sessions ...
The most interesting ones are:
The frontends can be configured to restrict access to certain commands. In that case, authentication information must be provided. In each frontend the AccessCommands option is defined in a different place. But in all cases the option syntax is the same:
AccessCommands = [ {Access, CommandNames, Arguments}, ...] Access = atom() CommandNames = all | [CommandName] CommandName = atom() Arguments = [ {ArgumentName, ArgumentValue}, ...] ArgumentName = atom() ArgumentValue = any()
The default value is to not define any restriction: []. The authentication information is provided when executing a command, and is Username, Hostname and Password of a local XMPP account that has permission to execute the corresponding command. This means that the account must be registered in the local ejabberd, because the information will be verified.
When one or several access restrictions are defined and the authentication information is provided, each restriction is verified until one matches completely: the account matches the Access rule, the command name is listed in CommandNames, and the provided arguments do not contradict Arguments.
As an example to understand the syntax, let’s suppose those options:
{hosts, ["example.org"]}. {acl, bots, {user, "robot1", "example.org"}}. {access, commaccess, [{allow, bots}]}.
This list of access restrictions allows only robot1@example.org to execute all commands:
[{commaccess, all, []}]
See another list of restrictions (the corresponding ACL and ACCESS are not shown):
[ %% This bot can execute all commands: {bot, all, []}, %% This bot can only execute the command 'dump'. No argument restriction: {bot_backups, [dump], []} %% This bot can execute all commands, %% but if a 'host' argument is provided, it must be "example.org": {bot_all_example, all, [{host, "example.org"}]}, %% This bot can only execute the command 'register', %% and if argument 'host' is provided, it must be "example.org": {bot_reg_example, [register], [{host, "example.org"}]}, %% This bot can execute the commands 'register' and 'unregister', %% if argument host is provided, it must be "test.org": {_bot_reg_test, [register, unregister], [{host, "test.org"}]} ]
The ejabberd Web Admin allows to administer most of ejabberd using a web browser.
This feature is enabled by default:
a ejabberd_http listener with the option web_admin (see
section 3.1.4) is included in the listening ports. Then you can open
http://server:port/admin/
in your favourite web browser. You
will be asked to enter the username (the full Jabber ID) and password
of an ejabberd user with administrator rights. After authentication
you will see a page similar to figure 4.1.
Here you can edit access restrictions, manage users, create backups, manage the database, enable/disable ports listened for, view server statistics,…
The access rule configure determines what accounts can access the Web Admin and modify it. The access rule webadmin_view is to grant only view access: those accounts can browse the Web Admin with read-only access.
Example configurations:
http://example.org:5280/admin/
to
administer all virtual hosts or to
http://example.org:5280/admin/server/example.com/
to administer only
the virtual host example.com. Before you get access to the Web Admin
you need to enter as username, the JID and password from a registered user
that is allowed to configure ejabberd. In this example you can enter as
username ‘admin@example.net’ to administer all virtual hosts (first
URL). If you log in with ‘admin@example.com’ on http://example.org:5280/admin/server/example.com/
you can only
administer the virtual host example.com.
The account ‘reviewer@example.com’ can browse that vhost in read-only mode.
acl: admin: user: - "admin": "example.net" host_config: "example.com": acl: admin: user: - "admin": "example.com" viewers: user: - "reviewer": "example.com" access: configure: admin: allow webadmin_view: viewers: allow hosts: - "example.org" listen: ... - port: 5280 module: ejabberd_http web_admin: true http_poll: true ...
https://192.168.1.1:5282/admin/
:
hosts: - "example.org" listen: ... - port: 5280 module: ejabberd_http http_poll: true - ip: "192.168.1.1" port: 5282 module: ejabberd_http certfile: "/usr/local/etc/server.pem" tls: true web_admin: true ...
Certain pages in the ejabberd Web Admin contain a link to a related section in the ejabberd Installation and Operation Guide. In order to view such links, a copy in HTML format of the Guide must be installed in the system. The file is searched by default in "/share/doc/ejabberd/guide.html". The directory of the documentation can be specified in the environment variable EJABBERD_DOC_PATH. See section 4.1.2.
If you enable mod_configure and mod_adhoc, you can perform several administrative tasks in ejabberd with an XMPP client. The client must support Ad-Hoc Commands (XEP-0050), and you must login in the XMPP server with an account with proper privileges.
ejabberd uses the distributed Mnesia database. Being distributed, Mnesia enforces consistency of its file, so it stores the name of the Erlang node in it (see section 5.4). The name of an Erlang node includes the hostname of the computer. So, the name of the Erlang node changes if you change the name of the machine in which ejabberd runs, or when you move ejabberd to a different machine.
You have two ways to use the old Mnesia database in an ejabberd with new node name: put the old node name in ejabberdctl.cfg, or convert the database to the new node name.
Those example steps will backup, convert and load the Mnesia database. You need to have either the old Mnesia spool dir or a backup of Mnesia. If you already have a backup file of the old database, you can go directly to step 5. You also need to know the old node name and the new node name. If you don’t know them, look for them by executing ejabberdctl or in the ejabberd log files.
Before starting, setup some variables:
OLDNODE=ejabberd@oldmachine NEWNODE=ejabberd@newmachine OLDFILE=/tmp/old.backup NEWFILE=/tmp/new.backup
ejabberdctl --node $OLDNODE start
ejabberdctl --node $OLDNODE backup $OLDFILE
ejabberdctl --node $OLDNODE stop
mkdir /var/lib/ejabberd/oldfiles mv /var/lib/ejabberd/*.* /var/lib/ejabberd/oldfiles/
ejabberdctl start
ejabberdctl mnesia_change_nodename $OLDNODE $NEWNODE $OLDFILE $NEWFILE
ejabberdctl install_fallback $NEWFILE
ejabberdctl stopYou may see an error message in the log files, it’s normal, so don’t worry:
Mnesia(ejabberd@newmachine): ** ERROR ** (ignoring core) ** FATAL ** A fallback is installed and Mnesia must be restarted. Forcing shutdown after mnesia_down from ejabberd@newmachine...
ejabberdctl start
You need to take the following TCP ports in mind when configuring your firewall:
Port Description 5222 Standard port for Jabber/XMPP client connections, plain or STARTTLS. 5223 Standard port for Jabber client connections using the old SSL method. 5269 Standard port for Jabber/XMPP server connections. 4369 EPMD (section 5.2) listens for Erlang node name requests. port range Used for connections between Erlang nodes. This range is configurable (see section 5.2).
epmd (Erlang Port Mapper Daemon) is a small name server included in Erlang/OTP and used by Erlang programs when establishing distributed Erlang communications. ejabberd needs epmd to use ejabberdctl and also when clustering ejabberd nodes. This small program is automatically started by Erlang, and is never stopped. If ejabberd is stopped, and there aren’t any other Erlang programs running in the system, you can safely stop epmd if you want.
ejabberd runs inside an Erlang node. To communicate with ejabberd, the script ejabberdctl starts a new Erlang node and connects to the Erlang node that holds ejabberd. In order for this communication to work, epmd must be running and listening for name requests in the port 4369. You should block the port 4369 in the firewall in such a way that only the programs in your machine can access it. or configure the option ERL_EPMD_ADDRESS in the file ejabberdctl.cfg.
If you build a cluster of several ejabberd instances, each ejabberd instance is called an ejabberd node. Those ejabberd nodes use a special Erlang communication method to build the cluster, and EPMD is again needed listening in the port 4369. So, if you plan to build a cluster of ejabberd nodes you must open the port 4369 for the machines involved in the cluster. Remember to block the port so Internet doesn’t have access to it.
Once an Erlang node solved the node name of another Erlang node using EPMD and port 4369, the nodes communicate directly. The ports used in this case by default are random, but can be configured in the file ejabberdctl.cfg. The Erlang command-line parameter used internally is, for example:
erl ... -kernel inet_dist_listen_min 4370 inet_dist_listen_max 4375
It is also possible to configure in ejabberdctl.cfg the network interface where the Erlang node will listen and accept connections. The Erlang command-line parameter used internally is, for example:
erl ... -kernel inet_dist_use_interface "{127,0,0,1}"
The Erlang cookie is a string with numbers and letters. An Erlang node reads the cookie at startup from the command-line parameter -setcookie. If not indicated, the cookie is read from the cookie file $HOME/.erlang.cookie. If this file does not exist, it is created immediately with a random cookie. Two Erlang nodes communicate only if they have the same cookie. Setting a cookie on the Erlang node allows you to structure your Erlang network and define which nodes are allowed to connect to which.
Thanks to Erlang cookies, you can prevent access to the Erlang node by mistake, for example when there are several Erlang nodes running different programs in the same machine.
Setting a secret cookie is a simple method to difficult unauthorized access to your Erlang node. However, the cookie system is not ultimately effective to prevent unauthorized access or intrusion to an Erlang node. The communication between Erlang nodes are not encrypted, so the cookie could be read sniffing the traffic on the network. The recommended way to secure the Erlang node is to block the port 4369.
An Erlang node may have a node name. The name can be short (if indicated with the command-line parameter -sname) or long (if indicated with the parameter -name). Starting an Erlang node with -sname limits the communication between Erlang nodes to the LAN.
Using the option -sname instead of -name is a simple method to difficult unauthorized access to your Erlang node. However, it is not ultimately effective to prevent access to the Erlang node, because it may be possible to fake the fact that you are on another network using a modified version of Erlang epmd. The recommended way to secure the Erlang node is to block the port 4369.
ejabberd stores sensitive data in the file system either in plain text or binary files. The file system permissions should be set to only allow the proper user to read, write and execute those files and directories.
A XMPP domain is served by one or more ejabberd nodes. These nodes can be run on different machines that are connected via a network. They all must have the ability to connect to port 4369 of all another nodes, and must have the same magic cookie (see Erlang/OTP documentation, in other words the file ~ejabberd/.erlang.cookie must be the same on all nodes). This is needed because all nodes exchange information about connected users, s2s connections, registered services, etc…
Each ejabberd node has the following modules:
This module is the main router of XMPP packets on each node. It routes them based on their destination’s domains. It uses a global routing table. The domain of the packet’s destination is searched in the routing table, and if it is found, the packet is routed to the appropriate process. If not, it is sent to the s2s manager.
This module routes packets which have a destination domain equal to one of this server’s host names. If the destination JID has a non-empty user part, it is routed to the session manager, otherwise it is processed depending on its content.
This module routes packets to local users. It looks up to which user resource a packet must be sent via a presence table. Then the packet is either routed to the appropriate c2s process, or stored in offline storage, or bounced back.
This module routes packets to other XMPP servers. First, it checks if an opened s2s connection from the domain of the packet’s source to the domain of the packet’s destination exists. If that is the case, the s2s manager routes the packet to the process serving this connection, otherwise a new connection is opened.
Suppose you already configured ejabberd on one machine named (first), and you need to setup another one to make an ejabberd cluster. Then do following steps:
~ejabberd/.erlang.cookie
file from first to
second.(alt) You can also add ‘-setcookie content_of_.erlang.cookie
’
option to all ‘erl’ commands below.
erl -sname ejabberd \ -mnesia dir '"/var/lib/ejabberd/"' \ -mnesia extra_db_nodes "['ejabberd@first']" \ -s mnesia
This will start Mnesia serving the same database as ejabberd@first.
You can check this by running the command ‘mnesia:info().
’. You
should see a lot of remote tables and a line like the following:
Note: the Mnesia directory may be different in your system. To know where does ejabberd expect Mnesia to be installed by default, call 4.1 without options and it will show some help, including the Mnesia database spool dir.
running db nodes = [ejabberd@first, ejabberd@second]
mnesia:change_table_copy_type(schema, node(), disc_copies).
This will create local disc storage for the database.
(alt) Change storage type of the scheme table to ‘RAM and disc copy’ on the second node via the Web Admin.
mnesia:add_table_copy
’ or
‘mnesia:change_table_copy_type
’ as above (just replace
‘schema
’ with another table name and ‘disc_copies
’
can be replaced with ‘ram_copies
’ or
‘disc_only_copies
’).Which tables to replicate is very dependant on your needs, you can get
some hints from the command ‘mnesia:info().
’, by looking at the
size of tables and the default storage type for each table on ’first’.
Replicating a table makes lookups in this table faster on this node. Writing, on the other hand, will be slower. And of course if machine with one of the replicas is down, other replicas will be used.
Also section 5.3 (Table Fragmentation) of Mnesia User’s Guide can be helpful.
(alt) Same as in previous item, but for other tables.
init:stop().
’ or just ‘q().
’ to exit from
the Erlang shell. This probably can take some time if Mnesia has not yet
transfered and processed all data it needed from first.acl
’
and ‘access
’ options because they will be taken from
first; and mod_irc
should be
enabled only on one machine in the cluster.
You can repeat these steps for other machines supposed to serve this domain.
ejabberd includes an algorithm to load balance the components that are plugged on an ejabberd cluster. It means that you can plug one or several instances of the same component on each ejabberd cluster and that the traffic will be automatically distributed.
The default distribution algorithm try to deliver to a local instance of a component. If several local instances are available, one instance is chosen randomly. If no instance is available locally, one instance is chosen randomly among the remote component instances.
If you need a different behaviour, you can change the load balancing behaviour with the option domain_balancing. The syntax of the option is the following:
Several balancing criteria are available:
If the value corresponding to the criteria is the same, the same component instance in the cluster will be used.
When there is a risk of failure for a given component, domain balancing can cause service trouble. If one component is failing the service will not work correctly unless the sessions are rebalanced.
In this case, it is best to limit the problem to the sessions handled by the failing component. This is what the domain_balancing_component_number option does, making the load balancing algorithm not dynamic, but sticky on a fix number of component instances.
The syntax is:
An ejabberd node writes three log files:
The option loglevel modifies the verbosity of the file ejabberd.log. The syntax:
The possible Level are:
For example, the default configuration is:
loglevel: 4
Option log_rate_limit is useful if you want to protect the logging mechanism from being overloaded by excessive amount of log messages. The syntax is:
When the limit is reached the similar warning message is logged:
lager_error_logger_h dropped 800 messages in the last second that exceeded the limit of 100 messages/sec
By default ejabberd rotates the log files when they get grown above a certain size. The exact value is controlled by log_rotate_size option. The syntax is:
ejabberd can also rotates the log files at given date interval. The exact value is controlled by log_rotate_date option. The syntax is:
However, you can rotate the log files manually. For doing this, set log_rotate_size option to 0 and log_rotate_date to empty list, then, when you need to rotate the files, rename and then reopen them. The ejabberdctl command reopen-log (please refer to section 4.1.1) reopens the log files, and also renames the old ones if you didn’t rename them.
The option log_rotate_count defines the number of rotated files to keep by reopen-log command. Every such file has a numeric suffix. The exact format is:
The Debug Console is an Erlang shell attached to an already running ejabberd server. With this Erlang shell, an experienced administrator can perform complex tasks.
This shell gives complete control over the ejabberd server, so it is important to use it with extremely care. There are some simple and safe examples in the article Interconnecting Erlang Nodes
To exit the shell, close the window or press the keys: control+c control+c.
ejabberd includes a watchdog mechanism that may be useful to developers when troubleshooting a problem related to memory usage. If a process in the ejabberd server consumes more memory than the configured threshold, a message is sent to the XMPP accounts defined with the option watchdog_admins in the ejabberd configuration file.
The syntax is:
The memory consumed is measured in words: a word on 32-bit architecture is 4 bytes, and a word on 64-bit architecture is 8 bytes. The threshold by default is 1000000 words. This value can be configured with the option watchdog_large_heap, or in a conversation with the watchdog alert bot.
The syntax is:
Example configuration:
watchdog_admins: - "admin2@localhost" - "admin2@example.org" watchdog_large_heap: 30000000
To remove watchdog admins, remove them in the option. To remove all watchdog admins, set the option with an empty list:
watchdog_admins: []
The source code of ejabberd supports localization. The translators can edit the gettext .po files using any capable program (KBabel, Lokalize, Poedit...) or a simple text editor.
Then gettext is used to extract, update and export those .po files to the .msg format read by ejabberd. To perform those management tasks, in the src/ directory execute make translations. The translatable strings are extracted from source code to generate the file ejabberd.pot. This file is merged with each .po file to produce updated .po files. Finally those .po files are exported to .msg files, that have a format easily readable by ejabberd.
All built-in modules support the xml:lang attribute inside IQ queries. Figure A.1, for example, shows the reply to the following query:
<iq id='5' to='example.org' type='get' xml:lang='ru'> <query xmlns='http://jabber.org/protocol/disco#items'/> </iq>
The Web Admin also supports the Accept-Language
HTTP header.
Release notes are available from ejabberd Home Page
Thanks to all people who contributed to this guide:
Ejabberd Installation and Operation Guide.
Copyright © 2003 — 2014 ProcessOne
This document is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this document; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
This document was translated from LATEX by HEVEA.