Monday, July 25, 2011

Ejabberd cluster on Ubuntu Server

Two years ago, I created a blog about the clustering of ejabberd nodes, running on OpenSolaris.

This message here has the same purpose but now running on Ubuntu Servers and linked to an openldap server. I used 9.04 (Jaunty Jackalope), but I think there shouldn't be too much changes in earlier or later versions.

I used the following setup:
3 ejabberd nodes (ejabberd1, ejabberd2, and ejabberd3)
1 OpenLDAP Server

Installation and Configuration First ejabberd

Make sure that your are logged in as root user.

1. Install ejabberd:
$ apt-get install ejabberd
2. Configure ejabberd to get users from the openldap server
* adapt /etc/ejabberd/ejabberd.cfg:

** %% Admin user: in this example the user must be listed in the LDAP
** %% Hostname
** %% List of LDAP servers: {ldap_servers, [""]}.
--> make sure that ejabberd node can reach ldap server using its
hostname (possibly adapt /etc/hosts)
** %% Encryption .. LDAP Servers (LDAPS): {ldap_encrypt, }.
--> tls, ssl, none, ...
** %% Port connect to LDAP server: {ldap_port, }.
** %% LDAP Manager: {ldap_rootdn, ""}.
--> e.g. {ldap_rootdn, "cn=admin,dc=example,dc=com"}.
** %% Password of LDAP manager: {ldap_password, ""}.
** %% LDAP attribute that holds user ID: {ldap_uids, [{"uid", "%u"}]}.

3. Modify /usr/sbin/ejabberdctl: ERLANG_NODE=ejabberd@`hostname`
--> not single quotes but back single quotes around hostname
4. Start ejabberd: /etc/init.d/ejabberd start

Check if ejabberd is running:

$ ejabberdctl status
Node ejabberd@ejabberd1 is started. Status: started
ejabberd is running

Installation and Configuration Other ejabberd Nodes

1. Install ejabberd:
$ apt-get install ejabberd
2. Copy ejabberd.cfg from first node
3. Copy ejabberdctl from first node
4. Copy /var/lib/ejabberd/.erlang.cookie from node 1 to new node.
5. Start ejabberd: /etc/init.d/ejabberd start

Check if ejabberd is running:

$ ejabberdctl status
Node ejabberd@ejabberd2 is started. Status: started
ejabberd is running

Now synchronize the databases is the tricky part. Thanks to this blog it is a piece of cake.
Just perform the steps below to synchronize the database of node 2 with the first node:

1. Start ejabberd in debug mode:
$ ejabberdctl debug
You arrive in an Erlang shell.
2. Enter the following commands:

* FirstNode = 'ejabberd@first', %%where first is the hostname of the first node (!) Make sure that the line ends with a comma, indicating that there are other commands to follow
* mnesia:stop(),
* mnesia:delete_schema([node()]),
* mnesia:start(),
* mnesia:change_config(extra_db_nodes, [FirstNode]),
* mnesia:change_table_copy_type(schema, node(), disc_copies).

3. End the debug session by pressing Ctrl-c, Ctrl-c

Your second node now runs ejabberd with the same database as on the first node.
Repeat this procedure for other ejabberd nodes which must serve the same database.

Web Interface ejabberd
By default there is a webinterface available for ejabberd on http://:5280/admin

Log on with an LDAP user who has been added to the list of Admin users in ejabberd.cfg, login name is in the format user@domain, e.g.

Configuring OpenLDAP on Ubuntu Server

This message shows you how an easy setup of OpenLDAP. I configured this to test a new ejabberd clustering setup using Ubuntu Servers. So I decided why not to integrate OpenLDAP with the ejabberd cluster, which is likely a more useful setup.

Most of the documentation is taken from

Simple Dual-core server 1024 MB RAM, running Ubuntu Server 9.04.
Make sure that you are connected to the Internet and that you are logged on as

Installing the necessary packages:
* Install the following packages:
** slapd: ldap server daemon
** ldap-utils: ldap utilities
** db4.2-util: ?, not sure if this one is necessary

When installing these packages you will be asked for a password for the LDAP
directory administrator, which is not the root password of the server on which
you're installing OpenLDAP.

Reconfigure the LDAP tree:

$ dpkg-reconfigure slapd
Omit OpenLDAP server configuration? ... No
DNS domain name: ...
Name of your organization: ... Whatever & Co
Admin Password: ******
Confirm Password: ******
Do you want your database to be removed when slapd is purged? ... No
Move old database? ... Yes
Allow LDAPv2 Protocol? ... No

Check if ldap works:

$ ldapsearch -x -b dc=example,dc=com

Generate an encrypted password with slappasswd:

$ slappasswd
New password:
Re-enter password:

This example shows what happens when using "secret" for the password, but your
result may vary!

Create the file /etc/ldap/slapd.conf and add the following content:

suffix "dc=example,dc=com"
directory "/var/lib/ldap"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}d2BamRTgBuhC6SxC0vFGWol31ki8iq5m

As root password use the generated password with the slappasswd tool.

Edit the file /etc/ldap/ldap.conf and uncomment the following line:

BASE dc=example,dc=com

Restart the LDAP service:

/etc/init.d/slapd restart

Populating the LDAP Tree
Now that your LDAP directory is ready, you can start populating it. This will
be a 'classical' entry intended to be very compatible with Unix accounts
(posix), directories (like addressbooks), and classical accounts (for web
applications). But really it's just a starting point.

An LDAP directory can be fed with a ldif file ("ldap directory interchange
format" file). Create this file init.ldif somewhere on your system:

dn: dc=example,dc=com
objectClass: dcObject
objectClass: organizationalUnit
dc: example
ou: Example Dot Com

dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: uid=loboloco,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: loboloco
sn: Loco
givenName: Lobo
cn: Lobo Loco
displayName: Lobo Loco
uidNumber: 1000
gidNumber: 10000
gecos: Lobo Loco
loginShell: /bin/bash
homeDirectory: /home/lobo
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
postalCode: 31000
l: Brussels
o: Example
mobile: +32 (0)3 xxx xx xx
homePhone: +32 (0)475 xxx xxx
title: System Administrator
initials: LL

dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
memberUid: loboloco
gidNumber: 10000

dn: cn=example2,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example2
gidNumber: 10001

In the example above, the directory structure, a user and group have been
defined. In other examples you might see the objectClass: top added in every
entry, but that is default behavior so you don't have to add it explicitly.

As with the LDAP root password, these passwords can be generated with
slappasswd using the MD5 or CRYPT hashing scheme. See man slappasswd).

Examples slappasswd:
Generate an SSHA password suitable for use as rootpw (in slapd.conf) or for use in a LDIF file for userPassword or authPassword attributes.

# no options required

# prompts twice for password string and then outputs

# save to a file using normal re-direction
slapppasswd > /tmp/slappassword

# generate {SSHA} encoding of password secret
slappasswd -s secret

# generate {MD5) encoding of password secret
slappasswd -s secret -h {MD5}

To place the output in LDIF or slapd.conf, save to a file and copy, paste to
relevant file if GUI editing tools are being used. If vi is being used,
navigate to location in file where password is to be inserted then use :r
!slappasswd [opts] - this runs the command and inserts stdout into editing file at last cursor position. Alternatively save the output of slappasswd to a file, navigate to insert location in vi and execute :r /path/to/file - inserts file
contents into last cursor location.

When you're done, write and close the file.

Now, add your entries to the LDAP:

stop LDAP daemon: /etc/init.d/slapd stop

delete the content that was automatically added at installation:
rm -rf /var/lib/ldap/*

add the new content: slapadd -l init.ldif

correct permissions on the database:
chown -R openldap:openldap /var/lib/ldap

start LDAP daemon: /etc/init.d/slapd start

Your LDAP Server is up and running.