1. Introduction
1.1. Purpose and Scope
1.2. Required Background
1.3. How to Use This Document
1.4. Conventions Used in this Document
1.5. Further Reading
1.6. Legalese
1.7. Sources
2. Preparation for Jabberd 2
2.1. Gather Required Information
2.2. Create Jabber User and Group
2.3. Create Directories for PID's and Logs
2.4. Install Prerequisites
3. Installing Jabberd 2
3.1. Download Jabberd 2
3.2. Extract Jabberd Installation Files
3.3. Configure the Jabberd Build
3.4. Build Jabberd
3.5. Install Jabberd
3.6. Default File Locations
3.7. Set Ownership of Configuration Files
4. Basic Configuration
4.1. Set Host Name in sm.xml and c2s.xml
4.2. Provision and Configure for Storage and Authentication Package(s)
4.3. Provision and Configure for Berkeley DB
4.4. Provision and Configure for MySQL
4.5. Provision and Configure for PostgreSQL
4.6. Provision and Configure for PAM
4.7. Provision and Configure for OpenLDAP
4.8. Test Server
5. Common Configuration Tasks
5.1. Configuring Firewall for Internet Access
5.2. Configuring Jabberd 2 for SSL Connections
5.3. Changing Router Password
5.4. Creating an Administrative User
5.5. Disabling Public Registration
5.6. Enabling User Password Change
5.7. Setting DNS SRV Records
5.8. Using Jabberd 1.4 to Connect to Legacy Services
5.9. Using JCR to Jabberd 2 Components
5.10. Setting up a JUD Using Users-Agent
5.11. Integrating Users-Agent with vCard Data (private servers only)
6. Common Administrative Tasks
6.1. Starting and Stopping Jabberd 2
6.2. Converting from Jabberd 1.4
6.3. Adding Users
6.4. Removing Users
6.5. Sending MOTD's and Messages to All Online Users
7. Router.xml Configuration
7.1. ID, PID and Logging
7.2. Network
7.3. Input/Output Control
7.4. Aliases
7.5. Feature Access Controls
8. Router-users.xml Configuration
9. Sm.xml Configuration
9.1. Jabberd Identification
9.2. Communication with the Router
9.3. Logging
9.4. Database Connection and Configuration
9.5. Access Control for Administrative Functions
9.6. Modules that Are Called during Sessions
9.7. Static Discovery Settings for Legacy Components
9.8. User Options
10. Resolver.xml Configuration
10.1. PID File
10.2. Communication with the Router
10.3. Logging
11. S2s.xml Configuration
11.1. PID File
11.2. Communication with the Router
11.3. Logging
11.4. Network Configuration
11.5. S2S Connection Checking
12. C2s.xml Configuration
12.1. PID File
12.2. Communication with the Router
12.3. Logging
12.4. Network Configuration
12.5. Input/Output Contro
12.6. Client Authentication and Registration
13. Jabberd 2 Architecture (Draft)
13.1. Jabber Network Architecture
13.2. Jabberd 2 Component Architecture
13.3. Jabberd 2 Module Decomposition
13.4. Jabberd 2 Data Handling
13.5. Jabberd 2 Data Structure (for MySQL)
A.1. Quick Start Guide
A.2. Installing OpenSSL for Jabberd 2
A.3. Installing Berkeley DB for Jabberd 2
A.4. Installing MySQL for Jabberd 2
A.5. Installing Libidn for Jabberd 2
A.6. Generating A Self-Signed SSL Key
A.7. Jabberd for Corporate Use
A.8. Automatic Startup and Shutdown Using an RC Script
A.9. Automatic Startup and Shutdown Using Daemontools
A.10. Using Jabber for Linux System Monitoring
A.10.1. Using the jabber_alert.pl Script
A.10.2. Using the job_mon.sh Script to Monitor Jobs
A.10.3. Using the sys_mon.sh Script to Monitor System Resources
A.10.4. Using the sys_debug.sh script for System Debugging
A.10.5. Using the email_alert.sh Script to Receive Time Sensitive Email
A.10.6. Using Jabber with Mon and Nagios
A.11. Primer on Transports and Jabberd 2
A.12. Troubleshooting Tips for Jabberd 2
A.13. Jabberd 2 FAQ
This document comprises the installation and administrative guide for the Jabberd 2 Server (Jabberd), the latest release of the popular open source messaging system based on the Jabber Protocol. The goal of Jabber is to provide an XML protocol for synchronous and asynchronous communication for client to client, client to server, and server to server messaging, although the primary use for Jabber is instant messaging (IM).
The Jabberd server is the original open-source server implementation of the Jabber protocol, and it remains the most popular software for deploying Jabber either inside a company or as a public IM service. Jeremie Miller initiated the Jabber Project in 1998 as a free and open alternative to proprietary IM services. The Jabberd server continues to be the core of the Jabber Project, and Jabberd 2 is the successor to the widely used Jabberd 1.4 server. Jabberd 2 is based on a completely new code base with a new architecture, additional features and improved adherence to the Jabber protocol.
The creation of a common messaging protocol, now known as XMPP (Extensible Messaging and Presence Protocol), has allowed for the creation of numerous Jabber server implementations in addition to the Jabberd server. Among these are several open source projects, including WP Jabber and ejabberd, as well as several commercial offerings from companies such as i3connect, Jabcast, Tipic and Jabber, Inc.
The authors of this document intend to provide a complete guide for jabberd 2 installation, administration and development:
The intended audience are people who wish to install and/or maintain a jabberd 2 server on Unix, or one of its variants. As such, this document covers jabberd installation on Unix operating systems only.
The authors have made every attempt to make this a step-by-step guide; however, some familiarity with a Unix or Linux operating system is assumed:
It is assumed that the reader has a basic familiarity with using a Jabber client. Additionally, it is assumed that the reader is familiar with hardware and software, such as a firewall, router or modem, that the jabber server will use to connect to the Internet if any such hardware is used. Configuration of these secondary programs and devices is beyond the scope of this guide.
This guide is organized into sections grouped according to intended use by the user:
The Quickstart Guide is designed to get experienced users up and running quickly. Detailed Jabberd 2 installation instructions that begin in Section 2, Preparing to Install Jabberd 2. Sections 5 and 6 list common Configuration and Administration tasks, respectively, while the remaining sections provide detailed configuration information.
This document is provided primarily as an installation guide, and as such, special conventions are used to make installation easier for the user. The conventions below appear throughout the installation sections of this guide:
|
Convention |
Name |
Description |
|---|---|---|
|
P |
Parameter |
Information about your specific setup that you will enter into a configuration file, etc. |
|
C |
Checkpoint |
A point at which to stop and check your setup. |
|
N |
Note |
An informational note. |
|
I |
Important |
An important note or warning. |
|
F |
Required Files |
Software or specific files needed to complete a step or series of steps. |
|
O |
Optional Step |
A step that is not required for the most basic installation. |
|
E |
External System |
A step that may require configuration on an external system, such as a router. |
The most useful of these conventions are "Parameters." Section 2 begins with a list of information about your setup (Parameters) that you will need during the installation steps. You can gather all this information before you start installing Jabberd, and then you can refer back to your list for every step that displays a P.
The installation guide is organized into numbered steps and sub-steps, etc. Users are encouraged to use the guide as a check list. When all of the sub-steps of a step are completed, then the parent step itself is also completed. Note that all children (sub-steps) of an "Optional Step" are optional also. Note that the "Optional Step" designation provides information about the conditions and/or requirements under which the optional step should be performed.
Steps labeled with "External System" provide the user with information about set up that may need to be performed on a system external to jabberd. These systems include routers, firewalls, DNS servers, etc. "External System" notes are intended to be informational rather than comprehensive. The remaining conventions are self-explanatory.
Note that each command listed in this guide refers to a command entered at a command prompt or at a command prompt shell, such as X-term or E-term. Note also that in this document, the term "Jabberd" refers to the Jabberd 2 server, except where noted. The term "Jabber" refers to Jabber-based system or systems, and "XMPP" refers to the protocol over which Jabber systems run.
This document was created using Structured Text. Structured Text uses standard text formatting conventions, such as underscores, to represent formatted text. Efforts have been made to keep the text and HTML representations close. One exception is the use of a bang character ("!") in the text version to escape unwanted formatting in the HTML version. "Bangs" appear at the beginning of some lines in the text version, and these can be ignored. They do not appear in the HTML version.
Visit the Jabber Software Foundation for the latest news about jabberd 2, jabber clients, and the Jabber Protocol. The Jabber Faq answers basic questions about Jabber. Readers are encouraged to visit the Jadmin Archive for questions about jabber administration, or subscribe to the Jadmin Mailing List for the most up to date jabberd administration information. Jabberd 2 development information can be found in the Jabberd Archive or by subscribing to the Jabberd List.
There are also several good books about Jabber. Note that books below detail jabberd 1.4 only as of this writing in 2003:
The Jabber Installation and Administration Guide is copyright (c) 2003 by Will Kamishlian and Robert Norris.
This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Robert Norris, who is the primary Jabberd 2 developer, and the posters on the Jabberd List provided technical information for this document.
This section will prepare you and your system to install Jabberd 2:
The table in Section 2.1. lists information required for Jabberd 2 installation. Collecting this information at this point is optional; however, completing this table now will make installation easier.
The table below lists information that will be required during the installation process. Information is provided for each parameter below:
"Parameter" is the name of the piece of information. Throughout this guide, specific parameters are referenced with the P convention. "Required is either "Y" (yes), "N" (no), or Option Name. Option Name refers to the option for which the parameter is necessary. Some entries have suggested entries for "Your Information." These entries represent either limited choices or default values. Where default values are given, they are used in the examples in this guide.
For a minimal installation, complete all the required parameters. For more information about the conditions under which an optional parameter is required, see the referenced section. "Description" is a short description. Again, see the referenced section for more detailed information.
Table 2.1. Required Information for Jabberd 2 Installation
|
Parameter |
Required |
Section(s) |
Description |
Your Information |
|---|---|---|---|---|
|
Jabberd User and Group |
Y |
2.2 |
The Linux (or other OS) user and group that will be used to run Jabberd |
user: jabber group: jabber |
|
PID Directory |
Y |
2.3 |
Directory in which Jabberd stores PID Files |
/usr/local/var/jabberd/pid |
|
Log Directory |
N |
2.3 |
Directory for Jabberd logs. If not specified in configuration files, logging defaults to syslog. |
/usr/local/var/jabberd/log |
|
Authentication Package |
Y |
2.4.3 3.3, |
Third party package to be used for Jabberd authentication management |
MySQL, PostgreSQL, Berkeley DB, OpenLDAP or PAM |
|
Data Storage Package |
Y |
2.4.4 4.3 |
Third party package to be used for storage of Jabberd data |
MySQL, PostgreSQL or Berkeley DB |
|
Data Directory |
Berkeley DB |
4.1.1, 4.2.1, |
Directory for Berkeley DB data files |
/usr/local/var/jabberd/db |
|
MySQL User and Password |
MySQL |
3.5.2.2, 4.1.2, 4.2.2, |
MySQL user and password that Jabberd uses to connect to MySQL |
user: jabberd2 password: secret |
|
PostgreSQL User and Password |
PostgreSQL |
3.5.3.1, 1 3, 4.2.3, |
PostgreSQL user and password that Jabberd uses to connect to PostgreSQL |
user: jabberd2 password: secret |
|
OpenLDAP Connection Settings |
OpenLDAP |
2 5 |
Connection settings for your OpenLDAP server: FQDN for LDAP server (or IP), port, and LDAP version used (either v2 or v3) |
|
|
OpenLDAP User and Password |
OpenLDAP |
4.2.5 |
User and password needed to connect to your OpenLDAP server. Required only if your OpenLDAP server does not permit anonymous binding (access) |
|
|
OpenLDAP Query Settings |
OpenLDAP |
4.2.5 |
Base DN (distinguished name) and User ID attribute used to build queries for the OpenLDAP server. Base DN can be either the server root DN or an RDN (relative distinguished name) under which User ID's are found. |
|
|
Hostname |
Y |
4.4 |
Hostname on which your Jabberd server is to be installed. For Internet accessible servers, this would be something like |
|
|
SSL Key Location |
N |
5.3.1, 5.3.2 |
Location of OpenSSL pemfile. Required for SSL-encrypted communication |
/usr/local/etc/jabberd/server.pem |
|
Router User and Password |
N |
5.4 |
User and password used for component connections with the Jabberd Router component |
user: jabberd2 password: secret |
You should create a jabber user and group to run the server:
su
groupadd jabber
useradd -g jabber jabber
You should create a directory for Jabberd to store its PID and log files, and ownership of these directories should be set to the user created above.
su
mkdir -p /usr/local/var/jabberd/pid/
chown -R jabber:jabber /usr/local/var/jabberd/pid/
The above directory is the default location for Jabberd PID files.
You may also choose to create a directory for Jabberd logs.
mkdir -p /usr/local/var/jabberd/log/
chown -R jabber:jabber /usr/local/var/jabberd/log
syslog by default. In order to force Jabberd to write its logs to the directory above, the component XML files must be edited to specifiy the directory created above.
Jabberd 2 has four prerequisites:
Technically, Jabberd 2 can be installed without OpenSSL or Libidn; however, it is strongly recommended that these packages be installed prior to installing Jabberd. Jabberd 2 also requires data packages for application and authentication; however, a single package, such as MySQL, can be used to satisfy requirements for both data storage and authentication.
OpenSSL provides encrypted client to server and server to server communication for Jabber. The XMPP Protocol requires that Jabber servers support TLS (Transport Security Layer). TLS is the successor to SSL.
See the OpenSSL site for more information. OpenSSL downloads can be found on the OpenSSL Source page. Instructions for installing OpenSSL for Jabberd 2 are included in the appendix to this guide. See Installing OpenSSL for Jabberd 2.
Libidn provides necessary string manipulation functionality for Jabberd 2. Prior to Jabberd 2 stable 3, libidn was included with the Jabberd 2 distribution; however, a licensing conflict makes it necessary that libidn be installed separately.
See the Libidn site for more information. Libidn downloads can be found on the Libidn Source page. Instructions for installing libidn are included in the appendix to this guide. See Installing Libidn for Jabberd 2.
Jabberd 2 has better database integration than was previously supported, and Jabberd 2 can use one of three free databases to provide data storage:
MySQL is the recommended and default data store. A file may be used for storing Jabberd 2 data; however, this is not recommended.
If you have one of these databases installed, you may configure it to work with Jabberd. Otherwise, you should choose one of these databases and install it prior to continuing with Jabberd installation. MySQL is the recommended database; however, Berkeley DB requires the least installation and administration effort. Thus, Berkeley DB may be ideal for an installation with a relatively small number of users.
Appendices to this document contain instructions for installing either MySQL or Berkeley DB for Jabberd 2. See Installing Berkeley DB for Jabberd 2 or Installing MySQL for Jabberd 2.
Jabberd 2 can use one of five free third-party authentication data packages to handle user authentication:
Note that the three supported application data packages can also be used to manage authentication information. Therefore, installing one of MySQL, Berkeley DB or PostgreSQL satisfies both Jabberd data package requirements. A file may be used to store authentication data; however, this is not recommended. The recommended and default package is MySQL.
If you have one of the above five authentication data packages installed, you may configure it for use with Jabberd 2. If not, you should install one or more of the above five packages.
Appendices to this document contain instructions for installing either MySQL or Berkeley DB for Jabberd 2. See Installing Berkeley DB for Jabberd 2 or Installing MySQL for Jabberd 2.
This section describes how to build and install Jabberd 2.
jabberd-2.0sn.tar.gz from the Jabber Studio, where "n" is the latest stable version of Jabberd 2.
Download the file referenced above into a directory in /home for building the installation files. At the time of writing, Jabberd 2 stable release 3 is the latest version and is used in the examples below.
Change to the directory where you downloaded the file above and then extract the Jabberd 2 files by running the command:
tar -zxvf jabberd-2.0s3.tar.gz
|| TODO: Try to rewrite config instructions to make them clearer. Maybe push some of the special configurations to the FAQ ||
Change to the directory created above:
cd jabberd-2.0s3
./configure --help
This will provide a listing and syntax for setting configuration options. For example, you may choose to install Jabberd into a specific directory by using the --prefix=PREFIX option. By providing a PREFIX path, all Jabberd files will be installed under this directory. This may be useful if you are testing a new Jabberd installation. Another useful option is --enable-debug. This option allows Jabberd to provide detailed debugging information; however, it should be used carefully on production systems.
configuration script. The information below pertains to Jabberd 2 stable 3 and above.
configure may build Jabberd 2 without them if their libraries and headers are not found when configure us run.
--enable- option. Options are --enable-mysql, --enable-pgsql, --enable-db, --enable-pam or --enable-ldap. Although --enable-mysql is the default, it is recommended that this be specified if MySQL is to be used. For example, this command would be used to enable MySQL as the authentication and storage package without debugging support:
./configure --enable-mysql --enable-ssl --enable-idn
The following command would be used to configure Jabberd to use Berkeley DB for both storage and authentication and to enable debugging:
./configure --enable-db --enable-debug --enable-ssl --enable-idn
If your one of the Jabberd prerequisites is installed in a nonstandard location, you will need to specify this location when you run configure. Specify alternate header paths with the --with-extra-include-path option and alternate library paths with the -with-extra-library-path option. Multiple paths, separated by a colon, may be specified. For example, if OpenSSL and MySQL were installed under /usr/local, you might configure with the command:
./configure --enable-pgsql --enable-ssl --enable-idn \
--with extra-include-path=/usr/local/include:/usr/local/include/mysql \
--with-extra-library-path=/usr/local/lib:/usr/local/lib/mysql
./configure --help if in doubt.
If you wish to use the default configuration, simply run the configuration command:
./configure
This will configure Jabberd to use MySQL and to install to /usr/local. If you receive errors, you may wish to check the FAQ where you will find several system-specific work arounds.
Build Jabberd by running the command:
make
Switch to the super-user:
su
Run make install:
make install
Your Jabberd 2 installation is complete. Below is a listing of file locations for the default installation:
/usr/local/etc/jabberd Jabberd Configuration Files
/usr/local/bin Jabberd Binaries (jabberd, c2s, resolver, router, s2s, sm)
Jabberd configuration files contain passwords; therefore, you should set ownership and permissions on these files so that they are only readable by your jabber user and writable by root only. Using the location of your configuration files and your jabber user, set ownership of these files:
chown -R root:jabber /usr/local/etc/jabberd/*
Then, set permissions on these files so that others can neither read from- or write to them:
chmod -R 640 /usr/local/etc/jabberd/*
Now, only your jabber user and super-user will be able to read and edit your configuration files.
/etc for the configuration files. This will make it easier to find and edit them:
ln -s /usr/local/etc/jabberd/ /etc/jabberd
Jabberd 2 is now installed. Continue to the next section to being configuring your installation.
This section provides a quick road map for the most basic configuration and testing of your Jabberd 2 installation. Basic setup for Jabberd 2 consists of these three steps:
Jabberd 2 is configured via its six XML files. For default installations, these configuration files can be found in /usr/local/etc/jabberd/, and they are accessible from /etc/jabberd if you created the symlink for this directory. Note that this section is easier to complete if you gather the required information in Section 2 beforehand.
sm.xml and c2s.xml
The first step in basic configuration consists of setting the hostname in sm.xml and c2s.xml.
c2s.xml and sm.xml so that the ID provides a network resolvable reference for your server. In c2s.xml this ID is found under the heading labeled Local network configuration (approx. line 63), and in sm.xml this ID is found under Session manager configuration (line 1). Edit sm.xml and c2s.xml so that this ID references your server.
In sm.xml :
<!-- Session manager configuration -->
<sm>
<!-- Our ID on the network. Users will have this as the domain part of
their JID. If you want your server to be accessible from other
Jabber servers, this ID must be resolvable by DNS.s
(default: localhost) -->
<id>somemachine.somedomain.com</id>
In c2s.xml :
<!-- Local network configuration -->
<local>
<!-- Who we identify ourselves as. This should correspond to the
ID (host) that the session manager thinks it is. You can
specify more than one to support virtual hosts, as long as you
have additional session manager instances on the network to
handle those hosts. The realm attribute specifies the auth/reg
or SASL authentication realm for the host. If the attribute is
not specified, the realm will be selected by the SASL
mechanism, or will be the same as the ID itself. Be aware that
users are assigned to a realm, not a host, so two hosts in the
same realm will have the same users.
If no realm is specified, it will be set to be the same as the
ID. -->
<id>somemachine.somedomain.com</id>
As the c2s.xml file notes, this is the hostname that will be appended to your user names to create Jabber ID's, and it must be resolvable via DNS for Jabberd to be accessible via the Internet.
somedomain.com) for your Jabberd 2 network ID if your DNS is configured properly to resolve that ID to your server. See Section 5.7. for information about setting up DNS SRV records for Jabberd 2.
Getting Jabberd 2 to work with your choice of external storage and authentication packages involves these steps:
sm.xml for your choice of storage package
c2s.xml for your choice of authentication package
Most Jabberd 2 installations rely on a single package, such as MySQL, to provide both storage and authentication services. If your installation relies on a single package, you will need to configure this package for Jabberd 2 and then enter similar connection details in both sm.xml and c2s.xml.
Start by jumping to your selection of external storage package:
You will then be guided to continue on to provision (if necessary) and configure your authentication package. Once your external packages are prepared, and Jabberd is configured to use them, you will guided to Server Testing.
Berkeley DB provides the easiest means to getting your Jabberd 2 server up and running quickly. Jabberd 2 requires a minimum version of 4.1.24 or higher.
Complete this section if you are using Berkeley DB for storage and/or authorization. Provisioning your system to use Berkeley DB is quite simple. Berkeley DB only needs a directory in which to store data files, and this directory should be owned by the jabber user and group.
mkdir -p /usr/local/var/jabberd/db
chown -R jabber:jabber /usr/local/var/jabberd
Berkeley DB is now ready to be used with Jabberd.
sm.xml)
Complete this section if you are using Berkeley DB for storage. Jabberd 2 requires minimal configuration to use Berkeley DB for backend storage. Simply set the driver to use and specify the location for the database.
In sm.xml under the section labeled Storage database configuration, edit the driver to use db (Berkeley DB):
<!-- Storage database configuration -->
<storage>
<!-- By default, we use the MySQL driver for all storage -->
<driver>db</driver>
sm.xml under the section labeled Berkeley DB driver configuration, set the path (created in section 4.3.1. above) for your database:
<!-- Berkeley DB driver configuration -->
<db>
<!-- Directory to store database files under -->
<path>/usr/local/var/jabberd/db</path>
<!-- Synchronize the database to disk after each write. If you
disable this, database accesses may be faster, but data may
be lost if jabberd crashes. -->
<sync/>
</db>
Jabberd 2 is now configured to use Berkeley DB for storage.
If you wish to use an authentication package other than Berkeley DB, jump to your selection of authentication package:
Otherwise, continue on to 4.3.3. directly below to finish your Jabberd 2 configuration.
c2s.xml)
Complete this section if you are using Berkeley DB for authentication. Jabberd 2 authentication configuration for Berkeley DB is the same as above, except that the information is contained in c2s.xml.
In c2s.xml under the section labeled Authentication/registration database configuration, edit the module to use db (Berkeley DB):
<!-- Authentication/registration database configuration -->
<authreg>
<!-- Backend module to use -->
<module>db</module>
c2s.xml under the section labeled Berkeley DB module configuration, set the path (created in section 4.3.1. above) for your database:
<!-- Berkeley DB module configuration -->
<db>
<!-- Directory to store database files under -->
<path>/usr/local/var/jabberd/db</path>
<!-- Synchronize the database to disk after each write. If you
disable this, database accesses may be faster, but data may
be lost if jabberd crashes. -->
<sync/>
</db>
Your Jabberd 2 configuration for storage and authentication is now complete. Jump to Test Server to begin testing your server before moving on other configuration tasks, such as configuring SSL, in Section 5.
MySQL is the default Jabberd 2 package for storage and authentication.
Complete this section if you are using MySQL for storage and/or authorization. In order to set up MySQL for Jabberd, you must run the setup script included in the Jabberd 2 distribution. After the script is run, you should create a user and then grant that user access to the database.
First, run the MySQL setup script. This script is located in '[Jabberd Source Files]/tools'. Switch to the tools directory and start the MySQL console (the MySQL server should already be running). Then, run the db-setup.mysql script from the MySQL console:
mysql -u root -p
mysql>\. db-setup.mysql
Now that a database for Jabberd exists in the MySQL data directory, create a MySQL user that Jabberd can use to connect to the MySQL server.
secret with the password you have chosen for your Jabberd MySQL user:
GRANT select,insert,delete,update ON jabberd2.*
to jabberd2@localhost IDENTIFIED by 'secret';
Note that the password secret is the default password used in the Jabberd configuration files for MySQL.
MySQL is now ready to be used with Jabberd.
/tmp/mysql.sock. The default socket when installing MySQL from source is /var/lib/mysql/mysql.sock. You will need to create a symlink to /tmp/mysql.sock if it does not exist:
ln -s /var/lib/mysql/mysql.sock /tmp/mysql.sock
If you are unsure as to where your MySQL server socket is, consult your MySQL configuration file (usually located in /etc/my.cnf or /etc/mysql/my.cnf).
sm.xml)
Complete this section if you are using MySQL for storage. Most installations using MySQL for storage will require only the setting of the driver, user and password.
In sm.xml under the section labeled Storage database configuration, make sure that the driver is to use mysql. (The driver should be set to mysql by default.):
<!-- Storage database configuration -->
<storage>
<!-- By default, we use the MySQL driver for all storage -->
<driver>mysql</driver>
sm.xml under the section labeled MySQL driver configuration, replace secret with your MySQL password. Change the user if you are not using the default user (jabberd2):
<!-- MySQL driver configuration -->
<mysql>
<!-- Database server host and port -->
<host>localhost</host>
<port>3306</port>
<!-- Database name -->
<dbname>jabberd2</dbname>
<!-- Database username and password -->
<user>jabberd2</user>
<pass>secret</pass>
<!-- Transaction support. If this is commented out, transactions
will be disabled. This might make database accesses faster,
but data may be lost if jabberd crashes.
This will need to be disabled if you are using a MySQL
earlier than v3.23.xx, as transaction support did not appear
until this version. -->
<transactions/>
</mysql>
Note that you should change the host setting only if your MySQL server is running on a different host. You should change the port setting only if your MySQL server is running on a non-standard port (port 3306 is the default for MySQL installations). The transaction support section is self-explanatory.
Jabberd 2 is now configured to use MySQL for storage.
If you wish to use an authentication package other than MySQL, jump to your selection of authentication package:
Otherwise, continue on to 4.4.3. directly below to finish your Jabberd 2 configuration.
c2s.xml)
Complete this section if you are using MySQL for authentication. Jabberd 2 authentication configuration for MySQL is the same as above, except that the information is contained in c2s.xml.
c2s.xml under the section labeled Authentication/registration database configuration, make sure that the driver is to use mysql. (The driver should be set to mysql by default.):
<!-- Authentication/registration database configuration -->
<authreg>
<!-- Backend module to use -->
<module>mysql</module>
c2s.xml under the section labeled MySQL module configuration, replace secret with your MySQL password. Change the user if you are not using the default user (jabberd2):
<!-- MySQL module configuration -->
<mysql>
<!-- Database server host and port -->
<host>localhost</host>
<port>3306</port>
<!-- Database name -->
<dbname>jabberd2</dbname>
<!-- Database username and password -->
<user>jabberd2</user>
<pass>secret</pass>
</mysql>
Note that you should change the host setting only if your MySQL server is running on a different host. You should change the port setting only if your MySQL server is running on a non-standard port (port 3306 is the default for MySQL installations).
Your Jabberd 2 configuration for storage and authentication is now complete. Jump to Test Server to begin testing your server before moving on other configuration tasks, such as configuring SSL, in Section 5.
PostgreSQL, like MySQL provides a very manageable backend for storage and authentication. Unlike MySQL, PostgreSQL provides better unicode support.
Complete this section if you are using PostgreSQL for storage and/or authorization. In order to set up PostgreSQL for Jabberd, you must create a database, create a PostgreSQL user and then run the PostgreSQL script included in the Jabberd 2 distribution.
Create the database for Jabberd. (The PostgreSQL server should already be running):
createdb -U postgres jabberd2
The command above will create a database from which you will be able to run the script for setting up the Jabberd PostgreSQL database.
createdb -U postgres -E UNICODE jabberd2
Now that your database is created, create a PostgreSQL user for the database.
createuser -P -U postgres jabberd2
This command will initiate an interactive user creation script. When prompted, enter the password that Jabberd will use to connect to your PostgreSQL database:
Enter password for user "jabberd2":
Enter it again:
Shall the new user be allowed to create databases? (y/n) n
Shall the new user be allowed to create more new users? (y/n) n
CREATE USER
The CREATE USER statement indicates that the command was successful.
After your jabberd user is created, you are ready to run the the PostgreSQL setup script. This script is located in '[Jabberd Source Files]/tools'. Switch to the tools directory and start the PostgreSQL console as the jabberd2 user:
psql -U jabberd2 jabberd2
Then, run the db-setup.pgsql script from the PostgreSQL console:
jabberd2=>\i db-setup.pgsql
PostgreSQL is now ready to be used with Jabberd 2.
sm.xml)
Complete this section if you are using PostgreSQL for storage. Most installations using PostgreSQL for storage will require only the setting of the driver, user and password.
In sm.xml under the section labeled Storage database configuration, edit the driver to use pgsql (PostgreSQL):
<!-- Storage database configuration -->
<storage>
<!-- By default, we use the MySQL driver for all storage -->
<driver>pgsql</driver>
sm.xml under the section labeled PostgreSQL driver configuration, replace secret with your PostgreSQL password. Change the user if you are not using the default user (jabberd2):
<!-- PostgreSQL driver configuration -->
<pgsql>
<!-- Database server host and port -->
<host>localhost</host>
<port>5432</port>
<!-- Database name -->
<dbname>jabberd2</dbname>
<!-- Database username and password -->
<user>jabberd2</user>
<pass>secret</pass>
<!-- Transaction support. If this is commented out, transactions
will be disabled. This might make database accesses faster,
but data may be lost if jabberd crashes. -->
<transactions/>
</pgsql>
Note that you should change the host setting only if your PostgreSQL server is running on a different host. You should change the port setting only if your PostgreSQL server is running on a non-standard port (port 5432 is the default for PostgreSQL installations). The transaction support section is self-explanatory.
Jabberd 2 is now configured to use PostgreSQL for storage.
If you wish to use an authentication package other than PostgreSQL, jump to your selection of authentication package:
Otherwise, continue on to 4.5.3. directly below to finish your Jabberd 2 configuration.
c2s.xml)
Complete this section if you are using PostgreSQL for authentication. Jabberd 2 authentication configuration for PostgreSQL is the same as above, except that the information is contained in c2s.xml.
In c2s.xml under the section labeled Authentication/registration database configuration, edit the module to use pgsql (PostgreSQL):
<!-- Authentication/registration database configuration -->
<authreg>
<!-- Backend module to use -->
<module>pgsql</module>
c2s.xml under the section labeled PostgreSQL module configuration, replace secret with your PostgreSQL password. Change the user if you are not using the default user (jabberd2):
<!-- PostgreSQL module configuration -->
<pgsql>
<!-- Database server host and port -->
<host>localhost</host>
<port>5432</port>
<!-- Database name -->
<dbname>jabberd2</dbname>
<!-- Database username and password -->
<user>jabberd2</user>
<pass>secret</pass>
</pgsql>
Note that you should change the host setting only if your PostgreSQL server is running on a different host. You should change the port setting only if your PostgreSQL server is running on a non-standard port (port 5432 is the default for PostgreSQL installations).
Your Jabberd 2 configuration for storage and authentication is now complete. Jump to Test Server to begin testing your server before moving on other configuration tasks, such as configuring SSL, in Section 5.
PAM (Pluggable Authentication Modules for Linux) provides built in authentication support for Jabberd 2.
Complete this section if you are using PAM for authorization. Authentication via PAM requires a valid PAM configuration file named jabberd. For many systems, this configuration file should be located under /etc/pam.d. Creation of Jabberd PAM configuration file is beyond the scope of this guide; however, a shortcut may be used to create this configuration file. Copy the system-auth configuration file to jabberd (as root):
cp /etc/pam.d/system-auth /etc/pam.d/jabberd
This will create a PAM configuration file that can be used by Jabberd2.
/etc/shadow file. Thus, Jabberd2 must be run as root, or the jabberd user must be granted read permissions for this file. Running the Jabberd2 server as root is not recommended.
jabberd PAM configuration file as below:
auth required pam_winbind.so
password required pam_winbind.so
account required pam_winbind.so
session required pam_winbind.so
PAM is now ready to be used with Jabberd 2. Continue on to begin configuring Jabberd 2 to authenticate against PAM.
c2s.xml)
Complete this section if you are using PAM for authentication. Jabberd requires little configuration to use PAM.
In c2s.xml under the section labeled Authentication/registration database configuration, edit the module to use pam:
<!-- Authentication/registration database configuration -->
<authreg>
<!-- Backend module to use -->
<module>pam</module>
Users cannot create their own accounts when using PAM for authentication. Therefore, public account registration should be disabled, while auto-create should be enabled so that the session manager can create accounts the first time users log on.
In c2s.xml, look for the Registration configuration subsection under the Authentication/registration database configuration section. Commenting the enable tag as below will disable public registration:
<!-- Registration configuration -->
<register>
<!-- Account registration is enabled by default (provided the
auth/reg module in use supports it). Comment this out to
disable. -->
<!-- <enable/> -->
In sm.xml under the section labeled User options (near the bottom of the file), uncomment the auto-create tag as below so that the session manager will create a new Jabberd2 account the first time a user logs on:
<!-- User options -->
<user>
<!-- By default, users must explicitly created before they can start
a session. The creation process is usually triggered by a c2s
component in response to a client registering a new user.
Enableing this option will make it so that a user create will be
triggered the first time a non-existant user attempts to start
a session. This is useful if you already have users in an
external authentication database (eg LDAP) and you don't want
them to have to register. -->
<auto-create/>
Your Jabberd 2 configuration for storage and authentication is now complete (provided that you have provisioned and configured for a storage package). Jump to Test Server to begin testing your server before moving on other configuration tasks, such as configuring SSL, in Section 5.
|| TODO: note that PAM should use SSL/TLS ||
OpenLDAP provides authentication support that is distributable across platforms and geography. Jabberd 2 requires a minimum version of OpenLDAP 2.1.0.
Complete this section if you are using OpenLDAP authorization. Your OpenLDAP installation should not require special configuration for Jabberd 2; however, at the time of writing (Jabberd 2 stable release 3), there is an important issue regarding Jabberd connection with OpenLDAP v3 servers. Jabberd 2 currently uses v2 syntax. By default, OpenLDAP v3 servers require v3 syntax.
There is a workaround for this issue. Add the following statement to your slapd.conf file, and restart your slapd daemon:
allow bind_v2
This statement will allow your Jabberd 2 server to connect to your OpenLDAP v3 server.
c2s.xml)
Complete this section if you are using OpenLDAP for authentication. OpenLDAP configuration is more detailed because configuration requires host and connection settings in addition to query settings.
In c2s.xml under the section labeled Authentication/registration database configuration, edit the driver to use ldap (OpenLDAP):
<!-- Authentication/registration database configuration -->
<authreg>
<!-- Backend module to use -->
<module>ldap<module>
LDAP module configuration in c2s.xml deals with the settings required to connect to your OpenLDAP server. The host must either be a hostname resolvable by the server or the IP address of the OpenLDAP server. Port 389 is the default port for OpenLDAP servers, so in most cases, port should be left as is. The v3 tag specifies whether your OpenLDAP server is v3. Uncomment this tag if it is. Leave the v3 tag commented for OpenLDAP v2 servers. Lastly, uncomment either the starttls or ssl tag if your server supports encryption (see notes below):
<!-- LDAP module configuration -->
<ldap>
<!-- LDAP server host and port (default: 389) -->
<host>ldap.example.com</host>
<port>389</port>
<!-- Use LDAP v3 if possible. If disabled, v2 will be used.
Encryption options are only available if v3 is enabled. -->
<!--
<v3/>
-->
<!-- Encryption. If enabled, this will create an encrypted channel
to the LDAP server using the LDAP STARTTLS mechanism. -->
<!--
<starttls/>
-->
<!-- Encryption. If enabled, this will create an encrypted channel
to the server using the old-style "ldaps://" mechanism. It is
recommended that you use <starttls/> instead of this. -->
<!--
<ssl/>
-->
|| TODO: note that PAM should use SSL/TLS ||
v3 and starttls tags. On the other hand, the author has not had success using SSL encryption between Jabberd 2 and OpenLDAP. To set up SSL, you should specify the OpenLDAP SSL hostname (if different from the non-SSL hostname). This is often something like ldaps.example.com. More importantly, you should specify the SSL port. The standard SSL port (LDAPS) for OpenLDAP is 636. Lastly, you should uncomment the ssl tag.
binddn is the full RDN (relative distinguished name) for the user. This may be something like cn=admin,ou=people,dc=example,dc=com :
<!-- DN to bind as for searches. If unspecified, the searches
will be done anonymously. -->
<!--
<binddn>cn=Directory Manager</binddn>
<bindpw>secret</bindpw>
-->
uidattr tags. This ID should be the attribute by which your users are uniquely identified under the specified base DN (distinguished name). In other words, when querying against the specified base DN, the specified uidattr should uniquely identify each user. The basedn attribute specifies the base against which queries are run. This can be the topmost DN of the OpenLDAP server, such as dc=example,dc=com or it can be an RDN below which the user entries are found, such as ou=people,ou=sales,dc=example,dc=com. Using a lower level RDN is likely to speed OpenLDAP queries. Lastly, if your configuration requires multiple realms, you can specify a base DN for each by using the realm attribute of the basedn tag. Note that if you are not using multiple realms, you need only to specify a single basedn without the realm attribute:
<!-- LDAP attribute that holds the user ID (default: uid) -->
<uidattr>uid</uidattr>
<!-- base DN of the tree. You should specify a DN for each
authentication realm declared in the <local/> section above,
by using the realm attribute. -->
<basedn realm='company'>o=Company.com</basedn>
<basedn>o=Example Corp.</basedn>
</ldap>
Below is an obfuscated view of the author's working OpenLDAP configuration:
<!-- LDAP module configuration -->
<ldap>
<!-- LDAP server host and port (default: 389) -->
<host>ldap.mydomain.org</host>
<port>389</port>
<!-- Use LDAP v3 if possible. If disabled, v2 will be used.
Encryption options are only available if v3 is enabled. -->
<v3/>
<!-- Encryption. If enabled, this will create an encrypted channel
to the LDAP server using the LDAP STARTTLS mechanism. -->
<starttls/>
<!-- Encryption. If enabled, this will create an encrypted channel
to the server using the old-style "ldaps://" mechanism. It is
recommended that you use <starttls/> instead of this. -->
<!--
<ssl/>
-->
<!-- DN to bind as for searches. If unspecified, the searches
will be done anonymously. -->
<!--
<binddn>cn=admin,dc=mydomain,dc=org</binddn>
<bindpw>snip</bindpw>
-->
<!-- LDAP attribute that holds the user ID (default: uid) -->
<uidattr>uid</uidattr>
<!-- base DN of the tree. You should specify a DN for each
authentication realm declared in the <local/> section above,
by using the realm attribute. -->
<basedn>ou=people,ou=design,dc=mydomain,dc=org</basedn>
</ldap>
Users cannot create their own accounts when using OpenLDAP for authentication. Therefore, public account registration should be disabled, while auto-create should be enabled so that the session manager can create accounts the first time users log on.
In c2s.xml, look for the Registration configuration subsection under the Authentication/registration database configuration section. Commenting the enable tag as below will disable public registration:
<!-- Registration configuration -->
<register>
<!-- Account registration is enabled by default (provided the
auth/reg module in use supports it). Comment this out to
disable. -->
<!-- <enable/> -->
In sm.xml under the section labeled User options (near the bottom of the file), uncomment the auto-create tag as below so that the session manager will create a new Jabberd2 account the first time a user logs on:
<!-- User options -->
<user>
<!-- By default, users must explicitly created before they can start
a session. The creation process is usually triggered by a c2s
component in response to a client registering a new user.
Enableing this option will make it so that a user create will be
triggered the first time a non-existant user attempts to start
a session. This is useful if you already have users in an
external authentication database (eg LDAP) and you don't want
them to have to register. -->
<auto-create/>
Your Jabberd 2 configuration for storage and authentication is now complete (provided that you have provisioned and configured for a storage package). Jump to the next section, Test Server, to begin testing your server before moving on other configuration tasks, such as configuring SSL, in Section 5.
After setting the hostname, provisioning external package(s), and configuring Jabberd to use your external package(s), your server is ready for testing.
su
su jabber
cd /usr/local/bin
./jabberd
jabberd, router, resolver, sm, s2s and c2s). Note that your jabber user (if created according to section 2.) may not have default PATH's; therefore, you should cd to the /usr/local/bin directory and run jabberd as above. Check that your chosen data package servers are running (except Berkeley DB, which does not require starting). Check your syslog for error messages. If your server fails to start, you can start Jabberd 2 with the debug option (note that this requires building Jabberd 2 with the debug option — see Section 3.3):
/usr/local/bin/jabberd -D
sm.xml in Section 4.1, and try to connect to your server.
id is set properly and that the machine name is resolvable via DNS.
Your Jabberd 2 server is now ready to use. Continue to Common Configuration Tasks detailed configuration options, such as enabling SSL connections.
Before delving into detailed Jabberd configuration, this section attempts to provide a guide for the most common Jabberd configuration tasks:
Note that there are two options for connecting Jabberd 1.4 legacy services to your Jabberd 2 installation. Jabberd 2 can connect to services, such as conferencing and gateways, running within a Jabberd 1.4 process. Additionally, a component wrapper called JCR has been released, and this wrapper allows a Jabber 1.4 component (written in C) to be compiled and run as Jabberd 2 service. At the time of writing, JCR has been tested with MU Conferencing only.
Although firewall configuration is beyond the scope of this guide, administrators should be aware of the TCP ports that need to be enabled for Internet access:
TCP ports should be enabled as above and according to your configuration if your Jabberd 2 installation is to access the Internet.
Jabberd 2 is designed to provide for STARTTLS and SSL connections not only between Jabber clients and the server, but also between the Jabberd server components (sm, resolver, s2s and c2s) and the Jabberd router. A single SSL certificate may be used for these two functions (Jabber client to Jabberd and Jabberd component to router), or two separate keys may be used. See the appendix, Generating a Self-Signed SSL Certificate for instructions about how to create your own self-signed certificate for use by Jabberd 2.
router, sm, resolver, s2s and c2s).
The SSL key for Jabber clients is located in c2s.xml. Note that c2s.xml contains the location of the SSL key used by Jabber clients in addition to the location of the SSL key used for c2s to router communications.
pemfile (your SSL key) location under the section labeled Local network configuration, and edit it for the location of your SSL key. Note that if your PEM file is in the default location of /usr/local/etc/jabberd/server.pem, you need only uncomment this section as below:
<!-- File containing a SSL certificate and private key for client
connections. If this is commented out, clients will not be
offered the STARTTLS stream extension -->
<pemfile>/usr/local/etc/jabberd/server.pem</pemfile>
The change above will enable STARTTLS on port 5222. Older Jabber clients use port 5223 for SSL enabled communications. If you wish to support SSL on port 5223, uncomment the ssl-port tags:
<ssl-port>5223</ssl-port>
Your server is now ready for STARTTLS/SSL connections. You need only restart the C2S component for the SSL change to take effect.
require-starttls tag as below:
<!-- Require STARTTLS. If this is enabled, clients must do STARTTLS
before they can authenticate. Until the stream is encrypted,
all packets will be dropped. -->
<require-starttls/>
Each of the five Jabberd components has its own configuration for encrypted component-to-router communications. Thus, these five configuration files must be edited to provide secure communication among Jabberd components:
router.xml
sm.xml
resolver.xml
s2s.xml
c2s.xml
pemfile tag for router communications. In the router.xml file, the pemfile is specified under the section labeled Local network configuration. In each of the the remaining four configuration files above, the pemfile location is specified under the section labeled Router connection configuration. Uncomment this section and edit it to point to the location of your SSL key. For example, you would edit c2s.xml as below if you are using the default location for your SSL key:
<!-- Router connection configuration -->
<router>
<!-- IP/port the router is waiting for connections on -->
<ip>127.0.0.1</ip> <!-- default: 127.0.0.1 -->
<port>5347</port> <!-- default: 5347 -->
<!-- Username/password to authenticate as -->
<user>jabberd</user> <!-- default: jabberd -->
<pass>secret</pass> <!-- default: secret -->
<!-- File containing a SSL certificate and private key to use when
setting up an encrypted channel with the router. If this is
commented out, or the file can't be read, no attempt will be
made to establish an encrypted channel with the router. -->
<pemfile>/usr/local/etc/jabberd/server.pem</pemfile>
Restart your Jabberd server for the change to take effect.
|| TODO: change infor about disabling non-ssl comms. Add info about requiring TLS ||
The Jabberd configuration files contain passwords used to connect to the router component because communications between components and the router occur by XML over TCP/IP. These passwords help to ensure that only your installed components can communicate with the router. The configuration file, router-users.xml, contains ID's and password(s) for components that are allowed to connect to the router. By default, the ID is jabberd and the password is secret.
Additionally, each of the components (except the router) has a user ID and password specified in its configuration file. This is the ID and password combination that the respective component uses to connect with the router. Thus, for a component to be able to connect to the router, the component must have a user and password pair specified in its configuration file, and that pair must match an ID and password pair in router-users.xml.
To improve security for your Jabberd installation, you should change the password. This involves changing the password in router-users.xml and then in sm.xml, resolver.xml, s2s.xml and c2s.xml.
router-users.xml as below (replacing newpass with your new password):
<users>
<user>
<name>jabberd</name>
<secret>newpass</secret>
</user>
</users>
Then, change the password in each of sm.xml, resolver.xml, s2s.xml and c2s.xml. In each of these files there are tags for the router user in the router section. Change the password as below (replacing newpass with your new password):
<!-- Router connection configuration -->
<router>
<!-- IP/port the router is waiting for connections on -->
<ip>127.0.0.1</ip> <!-- default: 127.0.0.1 -->
<port>5347</port> <!-- default: 5347 -->
<!-- Username/password to authenticate as -->
<user>jabberd</user> <!-- default: jabberd -->
<pass>newpass</pass> <!-- default: secret -->
Restart your Jabberd server for the change to take effect.
router.xml Must Be Edited If User Is Changed
router-users.xml is changed, then the user listed in the acl section of router.xml must also be changed:
<!-- Access control information -->
<aci>
<!-- The usernames listed here will get access to all restricted
functions, regardless of restrictions further down -->
<acl type='all'>
<user>jabberd</user>
</acl>
Settings for administrative users are contained in the aci section of sm.xml. By default, the administrative user is admin@localhost. In order to enable an administrative user that can be accessed remotely, change the jid to a user of your own choosing as below:
<acl type='all'>
<jid>admin@lsomedomain.com</jid>
</acl>
You will also need to create this user manually or from a Jabber client. When logged in, the administrative user will receive notices for user creation, and the administrative user will also be able to discover all online users, receive help requests, send MOTD's (messages of the day), etc.
Note that the user above is granted access to all administrative functions. You can assign specific administrative functions to users by specifying the acl type. See the examples in the sm.xml file.
Restart your Jabberd server for the change to take effect.
By default, Jabberd allows public registration for all users, which is to say that any user who can connect to your server can create their own Jabberd user on your server. In order to prevent public registration, edit the c2s.xml configuration file.
Under the Authentication/registration database configuration section, look for the Registration configuration subsection. Commenting the enable tag as below will disable public registration:
<!-- Authentication/registration database configuration -->
<authreg>
<!-- Backend module to use -->
<module>mysql</module>
<!-- Registration configuration -->
<register>
<!-- Account registration is enabled by default (provided the
auth/reg module in use supports it). Comment this out to
disable. -->
<!--
<enable/>
-->
Configurations using either PAM or OpenLDAP should disable public registration because Jabberd 2 does not support public registration via PAM or OpenLDAP.
User password changing is disabled by default in Jabberd 2. To allow your users to change their own passwords, uncomment the password tag in the authreg section in c2s.xml as below:
<!-- Authentication/registration database configuration -->
<authreg>
<!-- Backend module to use -->
<module>mysql</module>
<!-- Registration configuration -->
<register>
<!-- Account registration is enabled by default (provided the
auth/reg module in use supports it). Comment this out to
disable. -->
<enable/>
<!-- Human-readable instructions to be returned to client when
registration is requested. -->
<instructions>Enter a username and password to register with this server.</instructions>
<!-- Password change only. When registration is disabled, it may
still be useful to allow clients to change their password. If
you want this, uncomment this when you disable registration. -->
<password/>
Note that this will have no effect when using PAM or OpenLDAP for authentication because these packages do not permit password changing via Jabberd. Restart your Jabberd server for the change to take effect.
Jabberd 2, in addition to other Jabber clients and servers, is able to use DNS SRV records for hostname resolution. DNS SRV records allow for delegation of services — by port — to other hosts. Thus, if you want your Jabber server to run on a host that is not the primary domain host, you would most likely want to set DNS SRV records to delegate Jabber client and server services to another host or hosts.
somedomain.com resolves host1.somedomain.com, and your Jabberd server is running on host1, SRV records would not be required.
There are 3 SRV records that can be created for a Jabberd installation:
_jabber._tcp.<domain> -> <host>.<domain>:5269
_xmpp-server._tcp.<domain> -> <host>.<domain>:5269
_xmpp-client._tcp.<domain> -> <host>.<domain>:5222
The first and second of these specify the host and the port for server-to-server (s2s) communications. There are two listings for this because the new XMPP protocol, regarding SRV records, is replacing the older Jabber standards. The third listing above specifies host and port for unencrypted client communications (c2s).
The following are examples for creating a set of SRV records for the BIND server:
_jabber._tcp.some_domain.com. 86400 IN SRV 5 0 5269 host.some_domain.com.
_xmpp-server._tcp.some_domain.com. 86400 IN SRV 5 0 5269 host.some_domain.com.
_xmpp-client._tcp.some_domain.com. 86400 IN SRV 5 0 5222 host.some_domain.com.
Replace some_domain.com with your domain name and host with the name of the host, and do not omit the "." after the domain name.
TinyDNS does not have a format for SRV records; however, you can use Rob Mayoff's TinyDNS Record Maker to create TinyDNS SRV records. These TinyDNS SRV records were created for the host of host.some_domain.com using a priority of 10 and a weight of '0':
:_jabber._tcp.some_domain.com:33:\000\012\000\000\024\225\004host\013some_domain\003com\000
:_xmpp-client._tcp.some_domain.com:33:\000\012\000\000\024\146\004host\013some_domain\003com\000
:_xmpp-server._tcp.some_domain.com:33:\000\012\000\000\024\225\004host\013some_domain\003com\000
Use TinyDNS Record Maker to create a set of records to be added to the TinyDNS data file.
Once the your DNS server is properly updated, you should test the listings using Dig. For example, to test the entry of _jabber._tcp.some_domain.com, using the DNS server my.dns_server.com, you would enter the command below:
dig @my.dns_server.com _jabber._tcp.some_domain.com any +short
This should provide you with the data from your DNS SRV record:
10 0 5269 host.some_domain.com.
This section describes how to use an existing Jabberd 1.4 installation to connect legacy Jabberd 1.4 services, such as gateways and transports, to Jabberd 2. See the next section for using the JCR component to connect to legacy services. See Appendix 11 for a primer on how Jabberd 2 can use a Jabberd 1.4x process to run a transport.
A familiarity with Jabberd 1.4. is assumed, as is a working Jabberd 1.4 installation. Jabberd 1.4 setup and configuration is beyond the scope of this document; however, many excellent resources exist, including the Jadmin Archive and the Jabberd 1.4x Administration Guide.
Connecting Jabberd to a legacy service is similar to the means by which Jabberd 1.4 links to services; however there are several important differences when linking from Jabberd 2 to a Jabberd 1.4 service:
Additionally, a service namespace should exist in sm.xml if the component does not support discovery (disco). For example, MU Conference supports discovery, so no entry is required in sm.xml in order to make this service browsable. On the other hand, JUD (Jabber User Directory) does not support discovery; therefore, an entry would be required in sm.xml to make a JUD browsable by users. See sm.xml for examples.
The sub-sections below describe how to configure a David Sutton's MU Conference for Jabberd 1.4, and the example concludes with a working MU Conference configuration file. See MU Conference for downloads and more information about this component. MU Conference provides a multi-user chat room service for Jabberd.
When running a gateway or transport with Jabberd 1.4, the main Jabberd process handles XDB and logging functions. This is not the case when running such a component with Jabberd 2. Instead, the component should run in its own process, and the component should handle its own XDB and logging functions. That is to say that legacy components should be run in a process that is self-contained. Thus, if you have a component that is linked to a Jabberd 1.4. server, you should add an XDB section to the service configuration file:
<xdb id="xdb">
<host>conference.somedomain.com</host>
<load>
<xdb_file>/usr/local/jabber/xdb_file/xdb_file.so</xdb_file>
</load>
<xdb_file xmlns="jabber:config:xdb_file">
<spool>/usr/local/var/spool/jabber</spool>
</xdb_file>
</xdb>
The XDB section above specifies the hostname, the XDB module to load, and the location to write the spool file(s).
As noted above, the component configuration file must also contain a logging section. You might add a section like this to the configuration file for your linked component:
<log id="muclog">
<file>/usr/local/var/jabberd/log/muc.log</file>
<host/>
<logtype/>
<format>%d: [%t] (%h): %s</format>
</log>
In the case of an MU Conference gateway, I have specified the log above as muc.log. Each service should have a separate log file.
The linked component should specify the IP address and port that the router is listening on. The default port for the router is 5347, so the beginning of the id section of your linked file would look something like this:
<service id="muclinker">
<uplink/>
<connect>
<ip>192.168.0.2</ip> <!-- IP Address of Router here -->
<port>5347</port>
The Jabberd 2 server uses a password for component connections. This password is similar to the shared secret that is used in Jabberd 1.4. Continuing with the example above, you should create a password for your legacy component to use. (In Jabberd 2, all legacy components share the same password with the router) This password, or secret, must be specified in your the configuration file for your linked component:
<service id="muclinker">
<uplink/>
<connect>
<ip>192.168.0.2</ip> <!-- IP Address of Router here -->
<port>5347</port>
<secret>ComponentPass</secret>
</connect>
</service>
This secret must also be specified in your router.xml file. The secret is set in the section labeled 'local network configuration':
<!-- Local network configuration -->
<local>
<!-- IP address to bind to (default: 0.0.0.0) -->
<ip>0.0.0.0</ip>
<!-- Port to bind to (default: 5347) -->
<port>5347</port>
<!-- File containing the user table. This is where the router gets
its component and secret information from for component
authentication.-->
<users>/usr/local/etc/jabberd/router-users.xml</users>
<!-- Shared secret used to identify legacy components (that is,
"jabber:component:accept" components that authenticate using
the "handshake" method). If this is commented out, support for
legacy components will be disabled. -->
<secret>ComponentPass</secret>
Note that the password is specified with the secret tag in router.xml (as above), and not in the router-users.xml file.
The router.xml file must also contain an alias for the linked component, and the router.xml file provides an example for uplinking an MSN transport. Add an alias section for the component to which you are linking. Continuing with the example above, this alias would be set as below in 'router.xml':
<!-- Name aliases.
Packets destined for the domain specified in the "name" attribute
will be routed to the component that has currently bound the name
in the "target" attribute (assuming it is online).
This is usually only required for some kinds of legacy
components (particularly jabberd 1.4 "uplink" components) -->
<aliases>
<!-- Example for a msn transport running from a jabberd 1.4 uplink -->
<!--
<alias name='msn.domain.com' target='msn-linker'/>
-->
<alias name='conference.somedomain.com' target='muclinker'/>
</aliases>
Note that the alias references the DNS-resolvable name for the component, and the target references the service id as specified in the linked component XML file (as shown in Section 5.5.4).
A working muc.xml file for MU Conferencing appears below:
<jabber>
<service id="muclinker">
<uplink/>
<connect>
<ip>192.168.0.2</ip> <!-- IP Address of Router here -->
<port>5347</port>
<secret>ComponentPass</secret>
</connect>
</service&