Book

Calendar

May

M	T	W	T	F	S	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Jabber - CGP as XMPP server (P.I.T.A.)

cgp
jabber

(PITA = Pain In The A$$...)

Table of Contents

1. Basic Settings
2. CGP vs PSI
3. CGP vs VCARDs
4. CGP vs JWchat

1. Basic Settings

Settings/Real-Time/XMPP/Receiving/Listener (or Settings/Access/XMPP/Listener)

QIP can have problems logging via XMPP (see here). Go to Users/Domain Defaults/Login Methods and uncheck "NTLM".

2. CGP vs PSI

CommuniGate will not allow PSI to connect via secure connection unless their password encryption is A-crypt. This algorithm is reversible, therefore no one should be ableto read, search or write passwords in clean. We have to disable reading passwords viaLDAP and disable unencrypted LDAP connections.

To disable unencrypted LDAP access open the CGP admin interface and go to Settings/Services/LDAP/Listener. Find unencrypted port (5389), ~~set Init SSL/TLS to On~~ and set Remote IP address restrictions to Grant: 10.20.254.254.
To prohibit any user from reading the userPassword field, go to Directory/Access Rights and make sure the following rule is the first:
- Name = HidePas
- Target = *
- Bind DN = anyone
- Type = Prohibit
- Attribute Reading: userPassword,privateKey
- Attribute Searching: userPassword,privateKey
To guarantee that user password will be A-crypt encrypted, go to Users/Domains/ourdom.com/Account Defaults and set encryption to explicit A-crypt (this advice contradicts to UB-crpt).
- TODO:: I have a side evidence that CommuniGate resets this parameter to Default(A-Crypt) after restart, and new user encoding changes. Should be investigated.

3. CGP vs VCARDs

PSI requires the VCARD XMPP extension on server to start without a nag screen. One can use installed ejabberd instead of Communigate XMPP module. With Pronto getting better every release I think it is time to jump over to the integrated XMPP module although ejabberd is a very powerful jabber server. Attached you will find a working demo setup.

1. Receive connections on the standard jabber ssl port 5223 and forward^?^? them to the local machine on port 7222. This can be done via stunnel, a software package that allows you to terminate a SSL connection for application that does not support protocol encryption. The configuartion /etc/stunnel.conf should look like this:

; Protocol settings
sslVersion = all
ciphers = DES-CBC3-SHA

; various settings
chroot = /var/run/stunnel/
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 0
output = /var/log/stunnel.log
syslog = no

; create an xmpps endpoint
[xmpps]
accept = jabber.acme.com:5223
connect = 7222

2. Create a Perl proxy script that will capture the VCARD error message from Communigate and replace it with some dummy VCARD stuff. Thanks to David Ljung Madison for his magical template.

Perl proxy script

#!/usr/bin/perl
# Filename: tcp_forward?
# Author: David Ljung Madison <DaveSource.com>
# See License: http://MarginalHacks.com/License
# Description: Forwards a tcp connection, allows snooping of both directions
# Version: 1.01
use strict;
use IO::Socket;
use Net::hostent; # for OO version of gethostbyaddr
 
##################################################
# Setup the variables
##################################################
my $PROGNAME = $0;
$PROGNAME =~ s|.*/||;
 
# This gets and receives the streams by lines.
# Pro: Easier for filtering
# Con: Can't do tty or character based stuff (like logins, etc..)
# Con: "Lines" can get long for binary data - wastes memory
my $SEND_LINE_BY_LINE = 0;
my $RECV_LINE_BY_LINE = 0;
 
# Try this to see the example filter
# Then do: tcp_forward? -f 2000 -t getdave.com:80 -send
# And then point a browser to localhost:2000
# (Try it with and without the filter)
my $EXAMPLE_FILTER = 0;
$SEND_LINE_BY_LINE = 1 if ($EXAMPLE_FILTER);
 
# Reap zombies
$SIG{CHLD} = 'IGNORE';
 
##################################################
# Usage
##################################################
sub usage {
  my $msg;
  foreach $msg (@_) { print "ERROR: $msg\n"; }
  print "\n";
  print "Usage:\t$PROGNAME [-options]\n";
  print "\tTCP port forwarder. Forwards all traffic on a TCP port.\n";
  print "\t-f <port> From port (listen here)\n";
  print "\t-t <host:port> To location (send to here)\n";
  print "\t-recv Listen to all traffic we get back\n";
  print "\t-send Listen to all traffic we send (forward?)\n";
  print "\n";
  exit -1;
}
 
sub parse_args {
  my ($from,$to_host,$to_port,$recv,$send);
 
  while ($#ARGV>=0) {
    my $arg=shift(@ARGV);
    if ($arg =~ /^-h$/) { usage(); }
    if ($arg =~ /^-f(rom)?$/) { $from = shift(@ARGV); next; }
    if ($arg =~ /^-to?$/) {
      $to_port = shift(@ARGV); $to_host = "localhost";
      ($to_host,$to_port) = ($`,$') if ($to_port =~ /:/);
      next;
    }
    if ($arg =~ /^-s(end)?$/) { $send = 1; next; }
    if ($arg =~ /^-r(ecv)?$/) { $recv = 1; next; }
    if ($arg =~ /^-/) { usage("Unknown option: $arg"); }
    usage("Unknown argument [$arg]");
  }
 
  usage("No 'from' port defined") unless (defined $from);
  usage("No 'to' host defined") unless (defined $to_host);
  usage("No 'to' port defined") unless (defined $to_port);
 
  ($from,$to_host,$to_port,$recv,$send);
}
 
##################################################
# Outbound Connection
##################################################
sub outbound {
  my ($host,$port) = @_;
 
  $host = $host || "localhost";
  $port = $port || 23;
 
  my $handle = IO::Socket::INET->new(Proto => "tcp",
                                     PeerAddr => $host, PeerPort => $port)
               or die "cannot connect to port [$port] at localhost";
  $handle->autoflush(1);
 
  $handle;
}
 
##################################################
# Server side
##################################################
sub server {
  my ($from,$to_host,$to_port,$recv,$send) = @_;
 
  my $server = IO::Socket::INET->new( Proto => 'tcp',
                                      LocalPort => $from,
                                      Listen => SOMAXCONN,
                                      Reuse => 1);
 
  die "Can't setup server: $!\n" unless $server;
  print STDERR "Server started on port $from\n";
 
  #########################
  # Get an incoming connection
  #########################
  my $client;
  while ($client = $server->accept()) {
    print STDERR "Incoming connection\n";
    $client->autoflush(1);
 
    #########################
    # Fork so we can get more connections
    #########################
    my $pid = fork;
    die("[$PROGNAME] Couldn't fork: $!\n") if (!defined $pid);
    if ($pid) {
      close $client;
      next;
    }
 
    #########################
    # Setup an outbound connection
    #########################
    my $out_handle = outbound($to_host,$to_port);
    print STDERR "Forwarding to $to_host:$to_port\n";
 
    my $pid = fork;
    die("[$PROGNAME] Couldn't fork: $!\n") if (!defined $pid);
 
    if ($pid) {
 
      #########################
      # Receive data from the outbound/forwarded port
      #########################
      my ($c,$line,$i,$vsend);
      $vsend = 0;
      while(sysread($out_handle,$c,1)) {
        $line.=$c;
        if ($c eq ">") {
          $i = index($line,"<iq");
          if ($i != -1) {
            $i = index($line,"/iq>");
            if ($i == -1) {
              $i = 1;
            } else {
              $i = index($line,"type=\"error");
              if ( $i != -1) {
                $vsend = $vsend+1;
                if ($vsend > 0) {
                  $line = substr($line,0,$i-1);
                  $line.="type=\"result\"><vCard xmlns=\"vcard-temp\"><NICKNAME>RandomNickHere</NICKNAME></vCard></iq>";
                }
              }
              $i = -1;
            }
          }
          if ($i == -1) {
            print $client $line;
            print STDERR "R [$line]\n" if ($recv);
            undef $line
          }
        }
      }
      print STDERR "R [$line] <no eol>\n" if ($line && $recv);
      # Kill the child
      kill 9, $pid;
 
    } else {
 
      #########################
      # Send data to the forward?
      #########################
      my ($c,$line);
      if ($SEND_LINE_BY_LINE) {
        while($line = <$client>) {
          $line =~ s|GET /(.+) HTTP/1.0|GET http://GetDave.com/$1 HTTP/1.1|
            if ($EXAMPLE_FILTER); # See top of script
          print $out_handle $line;
          $line =~ s/[\r\n]//g;
          print STDERR "S [$line]\n" if ($send);
        }
      } else {
        while(sysread($client,$c,1)) {
          if ($send) {
            if ($c =~ /[\r\n]/) {
              print STDERR "S [$line]\n" if ($line);
              undef $line;
            } else {
              $line.=$c;
            }
          }
          syswrite($out_handle,$c);
        }
        print STDERR "S [$line] <no eol>\n" if ($line && $send);
      }
    }
 
    print STDERR "Closed connection\n";
    close $client;
    close $out_handle;
 
    exit;
  }
}
 
##################################################
# Main code
##################################################
sub main {
  server(parse_args());
}
main();

3. Start the PERL script so that it will listen on port 7222 and send all requests to your XMPP Jabber port:

./proxy.pl -f 7222 -t jabber.acme.com:5222

Voila, that's all now you can connect PSI via SSL to port 5223 of your Communigate server. There could be a lot of improvements but better a small start than nothing at all.

4. CGP vs JWchat

Punjab creates http-poll transport for XMPP server incapable of that, such as CGP.

Punjab Python Prerequisites on Fedora 8:

yum -y install python-devel python-twisted

On RHEL4:

rpm -ivh python-twisted-1.3.0-1.2.el4.rf.(i386|x86_64).rpm

Download punjab-0.12.tar.gz from punjab download site and follow punjab documentation:

cd /var/www
tar xzf /root/punjab-0.12.tar.gz
mv punjab-0.12 punjab
cd /var/www/punjab
python ./setup.py install
mkdir server
cd server
mktap punjab -b 1 -p 1 -s 1 -x 1 --html_dir=/var/www/punjab/html
twistd -f /var/www/punjab/server/punjab.tap

For punjab to automatically start on boot download /etc/init.d/punjab.sh

chkconfig punjab on
service punjab restart

Attachments

soho-cgp-jabber-proxy.pl.txt

soho-cgp-jabber-proxy.pl.txt 6.13 KB

punjab-0.12.tar.gz

punjab-0.12.tar.gz 200.53 KB

python-twisted-1.3.0-1.2.el4.rf.i386.rpm

python-twisted-1.3.0-1.2.el4.rf.i386.rpm 2.72 MB

python-twisted-1.3.0-1.2.el4.rf.x86_64.rpm

python-twisted-1.3.0-1.2.el4.rf.x86_64.rpm 2.72 MB