Friday, May 9, 2014

Setting up a Chat server with Prosody and Group-Office


A lot of customers requested a chat module for Group-Office. In my search for a
solution I stumbled upon a great XMPP/Jabber chat server called Prosody.

This is a short guide on how to connect this server with Group-Office.

Become root and install the Prosody XMPP server:

$ apt-get install prosody luarocks

Install lpy becuase it's required for the external external auth module:

$ luarocks install lpty

Download mod_auth_external for Prosody here:

https://hg.prosody.im/prosody-modules/raw-file/tip/mod_auth_external/mod_auth_external.lua

Put it in /usr/lib/prosody/modules/
eg.
cd /usr/lib/prosody/modules
wget https://prosody-modules.googlecode.com/hg/mod_auth_external/mod_auth_external.lua

Now create /usr/bin/GroupOfficeProsodyAuth.php. This script handles the
authentication requests from Prosody and it uses the Group-Office framework.
Note: If you installed Group-Office with the debian package it's already available in /usr/bin/GroupOfficeProsodyAuth.php
#!/usr/bin/php
<?php
/**
 * Group-Office
 * 
 * Copyright Intermesh BV. 
 * This file is part of Group-Office. You should have received a copy of the
 * Group-Office license along with Group-Office. See the file /LICENSE.TXT
 *
 * If you have questions write an e-mail to info@intermesh.nl
 * 
 * @license AGPL/Proprietary http://www.group-office.com/LICENSE.TXT
 * @link http://www.group-office.com
 * @copyright Copyright Intermesh BV
 * @version $Id: GroupOfficeProsodyAuth.php 17690 2014-06-17 07:02:34Z mschering $
 * @author Merijn Schering 
 * @package GO.base
 * 
 * test:
 * 
 * auth:username:groupoffice.domain.com:password
 */

// the logfile to which to write, should be writeable by the user which is running the server
$sLogFile  = "/var/log/prosody/prosody.log";

// set true to debug if needed
$bDebug  = false;

$oAuth = new exAuth($sLogFile, $bDebug);

class exAuth
{

 private $sLogFile;

 private $bDebug;

 private $rLogFile;

 private function _includeGO($server){
  //Try to detect a host based
  if(class_exists('GO')){
   return true;
  }
  if(file_exists('/etc/groupoffice/'.$server.'/config.php')){
   define('GO_CONFIG_FILE', '/etc/groupoffice/'.$server.'/config.php');
   require(GO_CONFIG_FILE);
   require_once($config['root_path'].'GO.php');
  }else
  {

   require_once('/usr/share/groupoffice/GO.php');
  }
  
  $this->writeDebugLog("Config file: ".GO::config()->get_config_file()." db: ".GO::config()->db_name." ".GO::config()->debug);
 }
 
 public function __construct($sLogFile, $bDebug)
 {

  $this->sLogFile  = $sLogFile;
  $this->bDebug  = $bDebug;
  
  $this->rLogFile = fopen($this->sLogFile, "a") or die("Error opening log file: ". $this->sLogFile);

  $this->writeLog("start");

  do {  
   $sData = substr(fgets(STDIN),0,-1);
   
   if($sData){
    
    $this->writeDebugLog("received data: ". $sData);
    $aCommand = explode(":", $sData);
    if (is_array($aCommand)){
     switch ($aCommand[0]){
      case "isuser":
       if (!isset($aCommand[1])){
        $this->writeLog("invalid isuser command, no username given");
        $this->failure();
       } else {
   
        $sUser = str_replace(array("%20", "(a)"), array(" ", "@"), $aCommand[1]);
        $this->writeDebugLog("checking isuser for ". $sUser);

        $this->_includeGO($aCommand[2]);
        $user = \GO\Base\Model\User::model()->findSingleByAttribute('username', $sUser);

        if ($user){        
         $this->writeLog("valid user: ". $sUser);
         
         $this->success();

        } else {
         $this->writeLog("invalid user: ". $sUser);
         $this->failure();
        }
        
        
       }
      break;
      case "auth":
       
       if (sizeof($aCommand) != 4){
        $this->writeLog("invalid auth command, data missing");
        $this->failure();
       } else {
        

        $sUser = str_replace(array("%20", "(a)"), array(" ", "@"), $aCommand[1]);
        $sPassword = $aCommand[3];
        $this->writeDebugLog("doing auth for ". $sUser);



        $this->_includeGO($aCommand[2]);

        $user = \GO::session()->login($sUser, $sPassword, false);

     
        if ($user) {
      
         $this->writeLog("authentificated user ". $sUser ." domain ". $aCommand[2]);
         $this->success();
        } else {
      
         $this->writeLog("authentification failed for user ". $sUser ." domain ". $aCommand[2]);
         $this->failure();
        }
       
       }
      break;
      case "setpass":
       // postavljanje zaporke, onemoguceno
       $this->writeLog("setpass command disabled");
       $this->failure();
      break;
      default:
       // ako je uhvaceno ista drugo
       $this->writeLog("unknown command ". $aCommand[0]);
       $this->failure();
      break;
     }
    } else {
     $this->writeDebugLog("invalid command string");
     $this->failure();
    }
   }

   unset($aCommand);
  } while (true);
 }

 public function __destruct()
 {
  $this->writeLog("stop");  
 }

 private function writeLog($sMessage)
 {
  if (is_resource($this->rLogFile)) {
   fwrite($this->rLogFile, date("r") ." [external_auth] ". $sMessage ."\n");
  }
 }

 private function writeDebugLog($sMessage)
 {
  if ($this->bDebug){
   $this->writeLog( date("r")." [external_auth_debug] ".$sMessage);
  }
 }
 
 
 private function success(){
  echo "1\n";
  if(class_exists('\GO')){
   \GO::unsetDbConnection();
  }

 }
 
 private function failure(){
  echo "0\n";
  if(class_exists('\GO')){
   \GO::unsetDbConnection();
  }
 }


 
}

Make this script executable:

$ chmod +x /usr/bin/GroupOfficeProsodyAuth.php

Edit /etc/prosody/prosody.cfg.lua and enable the "bosh" and "groups" module by removing the "--" in front of it. Then comment out authentication = "internal_plain":

and set:

 -- authentication = "internal_plain"
authentication = "external"
external_auth_command = "/usr/bin/GroupOfficeProsodyAuth.php"
external_auth_protocol = "generic"

cross_domain_bosh = true

Also set the groups file:

groups_file = "/home/groupoffice/chat/groups.txt";
Also setup your VirtualHost with the domain you run Group-Office on.
(See https://prosody.im/doc/configure for more info on configuring Prosody).

Example config file:
-- Prosody XMPP Server Configuration
--
-- Information on configuring Prosody can be found on our
-- website at http://prosody.im/doc/configure
--
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running: luac -p prosody.cfg.lua
-- If there are any errors, it will let you know what and where
-- they are, otherwise it will keep quiet.
--
-- Good luck, and happy Jabbering!


---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts

-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { }

-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
--use_libevent = true;

-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation on modules can be found at: http://prosody.im/doc/modules
modules_enabled = {

        -- Generally required
                "roster"; -- Allow users to have a roster. Recommended ;)
                "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
                "tls"; -- Add support for secure TLS on c2s/s2s connections
                "dialback"; -- s2s dialback support
                "disco"; -- Service discovery
                "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.

        -- Not essential, but recommended
                "private"; -- Private XML storage (for room bookmarks, etc.)
                "vcard"; -- Allow users to set vCards

        -- These are commented by default as they have a performance impact
                --"privacy"; -- Support privacy lists
                --"compression"; -- Stream compression (requires the lua-zlib package installed)

        -- Nice to have
                "version"; -- Replies to server version requests
                "uptime"; -- Report how long server has been running
                "time"; -- Let others know the time here on this server
                "ping"; -- Replies to XMPP pings with pongs
                "pep"; -- Enables users to publish their mood, activity, playing music and more
"register"; -- Allow users to register on this server using a client and change passwords

        -- Admin interfaces
                "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
                --"admin_telnet"; -- Opens telnet console interface on localhost port 5582

        -- HTTP modules
                "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
                --"http_files"; -- Serve static files from a directory over HTTP

        -- Other specific functionality
                "groups"; -- Shared roster support
                --"announce"; -- Send announcement to all online users
                --"welcome"; -- Welcome users who register accounts
                --"watchregistrations"; -- Alert admins of registrations
                --"motd"; -- Send a message to users when they log in
                --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
};

-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
modules_disabled = {
        -- "offline"; -- Store offline messages
        -- "c2s"; -- Handle client connections
        -- "s2s"; -- Handle server-to-server connections
};

-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = false;

-- These are the SSL/TLS-related settings. If you don't want
-- to use SSL/TLS, you may comment or remove this
-- ssl = {
--      key = "/etc/prosody/certs/localhost.key";
--      certificate = "/etc/prosody/certs/localhost.crt";
--}

ssl = {
                key = "/etc/prosody/certs/group-office.com.key";
                certificate = "/etc/prosody/certs/group-office.com.crt";
        }

-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.

c2s_require_encryption = false

-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security

s2s_secure_auth = false

-- Many servers don't support encryption or have invalid or self-signed
-- certificates. You can list domains here that will not be required to
-- authenticate using certificates. They will be authenticated using DNS.

--s2s_insecure_domains = { "gmail.com" }

-- Even if you leave s2s_secure_auth disabled, you can still require valid
-- certificates for some domains by specifying a list here.

--s2s_secure_domains = { "jabber.org" }

-- Required for init scripts and prosodyctl
pidfile = "/var/run/prosody/prosody.pid"

-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.

-- authentication = "internal_plain"

authentication = "external"
external_auth_command = "/usr/local/bin/GroupOfficeProsodyAuth.php"
external_auth_protocol = "generic"

--authentication = "anonymous"
cross_domain_bosh = true
-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.

--storage = "sql" -- Default is "internal"

-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }

-- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
log = {
        info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
        error = "/var/log/prosody/prosody.err";
        "*syslog";
}

----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.

--VirtualHost "localhost"

VirtualHost "intermesh.group-office.com"
        groups_file = "/home/govhosts/intermesh.group-office.com/data/chat/groups.txt";
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/group-office.com.key";
                certificate = "/etc/prosody/certs/group-office.com.crt";
        }

------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see http://prosody.im/doc/components

---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "conference.intermesh.group-office.com" "muc"

-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
--Component "proxy.example.com" "proxy65"

---Set up an external component (default component port is 5347)
--
-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info
-- see: http://prosody.im/doc/components#adding_an_external_component
--
--Component "gateway.example.com"
--      component_secret = "password"

                                           
Restart the Prosody XMPP server:

$ service prosody restart

Now try to connect with your XMPP/Jabber client.

Use your Group-Office user, password and domain.

You can check /var/log/prosody/ for log files.

Make sure config.php of Group-Office is readable by the prosody user!

Now enable the chat module in Group-Office.

Troubleshooting

  1. Make sure config.php of Group-Office is readable by the prosody user
  2. Check that the following ports are accessible 5222,5223,5280,5281 (or forwarded if it's behind a router)
  3. Make sure PHP CLI is logging errors and check for PHP errors in syslog.
  4. To make SSL work on all clients I had to combine the ssl certificate and CA bundle

Update: I found the excellent program Converse.js that could be integrated in Group-Office 6.0 easily:

Additionally, I used the Prosody "groups" module to automatically deliver all Group-Office Chat users as contacts to the chat clients.




13 comments:

  1. Hello, could you please help. I did all steps, but after enabling chat module i can't login to GroupOffice anymore and see this in logs:

    ----------------
    [20141105 10:57:21] PHP Warning: DOMDocument::loadXML(): Opening and ending tag mismatch: meta line 3 and head in Entity, line: 4 in /usr/share/groupoffice/modules/chat/xmpp-prebind-php/lib/XmppPrebind.php on line 610
    User: admin Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36 IP: 172.18.52.208
    Query:
    Backtrace:
    DOMDocument::loadXML in file /usr/share/groupoffice/modules/chat/xmpp-prebind-php/lib/XmppPrebind.php on line 610
    XmppPrebind::getBodyFromXml in file /usr/share/groupoffice/modules/chat/xmpp-prebind-php/lib/XmppPrebind.php on line 128
    XmppPrebind::connect in file /usr/share/groupoffice/modules/chat/ChatModule.php on line 79
    GO\Chat\ChatModule::getPrebindInfo in file /usr/share/groupoffice/modules/chat/scripts.inc.php on line 17
    global::require in file /usr/share/groupoffice/views/Extjs3/default_scripts.inc.php on line 430
    global::require in file /usr/share/groupoffice/views/Extjs3/themes/Group-Office/Layout.php on line 20
    global::require in file /usr/share/groupoffice/views/Extjs3/Init.php on line 2
    global::require in file /usr/share/groupoffice/go/base/view/FileView.php on line 46
    GO\Base\View\FileView::render in file /usr/share/groupoffice/go/base/controller/AbstractController.php on line 279
    GO\Base\Controller\AbstractController::render in file /usr/share/groupoffice/controller/AuthController.php on line 60
    GO\Core\Controller\AuthController::actionInit in file /usr/share/groupoffice/go/base/controller/AbstractController.php on line 519
    GO\Base\Controller\AbstractController::callActionMethod in file /usr/share/groupoffice/go/base/controller/AbstractController.php on line 427
    GO\Base\Controller\AbstractController::run in file /usr/share/groupoffice/go/base/Router.php on line 159
    GO\Base\Router::runController in file /usr/share/groupoffice/index.php on line 79
    ----------------
    [20141105 10:57:21] PHP Fatal error: Call to a member function getAttribute() on a non-object in /usr/share/groupoffice/modules/chat/xmpp-prebind-php/lib/XmppPrebind.php on line 129
    User: admin Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36 IP: 172.18.52.208
    Query:
    Backtrace:
    GO::shutdown in file unknown on line unknown
    ----------------


    thanks in advance!

    ReplyDelete
  2. I have a jabber server setup but it is on a different box and I can't figure out how to specify a host name. Something like $jabberHost or chat_xmpp_host or something. Unfortunately there doesn't seem to be any documentation on how to configure the module.

    ReplyDelete
  3. Some latest remarks:

    1. To prosysdy config add

    consider_bosh_secure = true -- trust bosh connection

    2. Remember to have installed and enabled following php modules

    encryp - or you won't be able to login
    curl -

    Group-Office works fine without them but chat will not :-)

    ReplyDelete
  4. Hi there, it would be great if we could use the chat module with openfire server! Is there any tutorial to make this dream come true :-)

    ReplyDelete
  5. I just could not go away your web site before suggesting that I extremely enjoyed the standard information an individual provide to your guests? Is gonna be again frequently in order to check out new posts.

    토토사이트
    온라인카지노
    파워볼사이트

    ReplyDelete
  6. There is evidently a bunch to realize about this. I consider you made some good points in features also.

    스포츠토토
    토토
    안전놀이터
    토토사이트

    ReplyDelete
  7. Wow, that’s what I was exploring for, what a stuff! existing here at this weblog, thanks admin of this web page.

    토토
    바카라사이트
    파워볼
    카지노사이트

    ReplyDelete
  8. Some entrepreneurs make mistake of trying
    to setup business in the scale disparate with their use of funds
    and resources to finance loans. There are quite obvious systems you can set up to help you concentrate on your
    business. The best way is usually to only distribute
    the emails to users who have requested inclusion by using an email subscriber list, usually termed
    as opt-in lists. 토토사이트

    ReplyDelete
  9. https://gamezoom.xyz Getting a exercise spouse can significantly boost your muscle-building results. Your lover could be a valuable method to obtain inspiration for sticking to your workout treatment, and pushing you to maximize your endeavours when you exercise. Using a reliable partner to determine with can also help make you stay harmless as you will usually have a spotter.

    ReplyDelete