XMPP Service Operators - 2026-04-29

Talking about permissions and RBAC, I wonder if anybody knows the state of SSO support. My understanding is servers implement it but clients don't. I've seen organizations choose Matrix over XMPP for this reason

i was able to get LDAP working with ejabberd auth. It basically just forwards the plaintext password to the LDAP backend. Having OIDC would be much better than this imo

Openfire and Spark can support SSO, although it is dated.

I think the key is XEP-0493: OAuth Client Login. Servers (like prosody) implement it but I don't think any client implements it

I am still hoping Singpolyma will polish his PoC for OIDC login for Movim and make a PR.

at least if I remember correctly he said it exists but unpublished and hacky

it was a few years ago but yes I did do that. I think it's still around here somewhere on my pc

> Talking about permissions and RBAC, I wonder if anybody knows the state of SSO support. My understanding is servers implement it but clients don't. I've seen organizations choose Matrix over XMPP for this reason Pretty sure that's why Mozilla uses Matrix, it's just easy to integrate with Mozilla Accounts and it is always easy to follow something that has somewhat of a hype, as most people will not think much about it

> i was able to get LDAP working with ejabberd auth. It basically just forwards the plaintext password to the LDAP backend. Having OIDC would be much better than this imo How do you configure this? I have never used or looked at LDAP and the docs look completely alien to me. (To me it seems easier to port the kernel to a phone, at least I have in idea what I'm doing there xD)

> I think the key is XEP-0493: OAuth Client Login. Servers (like prosody) implement it but I don't think any client implements it Yesterday, I've opened issues with - Monocles: Arne wants to implement it - Monal: They say they are far too understaffed, but will accept contributions - Conversations/Dino/Gajim: no reply (but it's not even been a full day yet)

erebion, https://github.com/lldap/lldap/blob/main/example_configs/ejabberd.md

should work similar with other LDAP backends ✏

yeah i did use lldap and just match 2 by 2. forgot it completely now tho if i ever do it again i'll prolly use kanidm

> erebion, https://github.com/lldap/lldap/blob/main/example_configs/ejabberd.md Thanks Still prefer OAuth, LDAP seems to be some arcane sort of magic

> LDAP seems to be some arcane sort of magic most auth seems like that to me

good point

Yunohost ships with Prosody+LDAP by default (previously Metronome)

the main issue with LDAP is that clients like Monal and I think recent versions of Conversations don't allow connection to Plain SASL by default.

which can be enabled in the settings, but it is pretty unclear and required technical understanding to figure out what setting does that.

so one main SSO benefit of making it easy for non-technical people is lost again.

>> erebion, https://github.com/lldap/lldap/blob/main/example_configs/ejabberd.md > Thanks > > Still prefer OAuth, LDAP seems to be some arcane sort of magic Usually OAuth is backed by LDAP eventually, it just adds magic on top, like being logged in to multiple services at once with a common token. From what I've seen, usually Keycloak is used for the OAuth magic and it uses LDAP or ActiveDirectory as a backend for the actual user management ✏ ↺

When you deploy multiple self-hosted services (cryptpad, nextcloud, wiki, ...) for an organization, they want to have their users logged in once and not require them to login to every service you use. LDAP can make sure you have the same credentials everywhere but it cannot have you logged in across multiple services simultaneously. This is of course more difficult with desktop and smartphone clients but should be possible to interate cleanly with Movim for example

> which can be enabled in the settings, but it is pretty unclear and required technical understanding to figure out what setting does that. Good point, that would lead to too many support requests and/or unhappy users, even at my hackerspace, so I'll not use LDAP. ↺

> When you deploy multiple self-hosted services (cryptpad, nextcloud, wiki, ...) for an organization, they want to have their users logged in once and not require them to login to every service you use. LDAP can make sure you have the same credentials everywhere but it cannot have you logged in across multiple services simultaneously. This is of course more difficult with desktop and smartphone clients but should be possible to interate cleanly with Movim for example It's not really about avoiding logging in multiple times, it's about avoiding maintaining 8 user databases with their own set of access rights :) ↺

> Good point, that would lead to too many support requests and/or unhappy users, even at my hackerspace, so I'll not use LDAP. Yunohost uses LDAP for everything and Plain SASL is not needed, can connect just fine with any client. ↺

that is impossible. Maybe the clients you use are ok with Plain SASL by default

(at least until xmpp servers implement sasl passthrough)

I mean, if your LDAP server supports other SASL mechs?

how would the xmpp server know? Afaik both Prosody and Ejabberd only support SASL plain with LDAP

If it passed sasl through instead of translating it wouldn't have to know. But I haven't worked with LDAP in a very long time

for Prosody it was at least discussed to support more advanced SASL methods with LDAP, but apparently the upstream lua library would first need support for that.

yes, but the xmpp server doesn't know how to pass it directly to the LDAP server, which is the problem

As in doesn't have code for that? Sure

well, right now it isn't implemented and Yunohost+Prosody certainly doesn't either.

> erebion, https://github.com/lldap/lldap/blob/main/example_configs/ejabberd.md wow that looks awesome, last time I looked at available ldap servers to self host I ran away screaming ↺

Been using Conversations/Dino/Gajim + Yunohost for years. No fancy conf needed.

moparisthebest, kanidm is also nice and includes a read-only LDAP for legacy apps.

I just wish it had a self-service signup option

hueso, then you are on an old version of Conversations or did configure it at some point.

Dino and Gajim doesn't require it

> RADIUS for network and VPN authentication wow the other thing I needed, can you just start sending me all the software you find Kris 😁 thanks again

> hueso, then you are on an old version of Conversations or did configure it at some point. not only me but many of my normie friends running recent versions, I'm pretty sure they didn't went thru some obscure options to log in. IDK how ynh does it but it just works ↺

maybe I am mistaken and it isn't default on Conversations yet. But the dev said it will be in the future.

it is definitly the default on Monal though

I don't have any iFruit device at hand to test that

I've never tried it, but I think FreedomBox has a single sign-on system, and JSXC is one of the apps available in it. But I can't check the documentation right now, because wiki.debian.org isn't responding.

JSXC had a special SSO system yes. completely custom though

It finally loaded! > Many apps with web interface in FreedomBox support single sign-on using OpenID Connect. This means that if you are logged into FreedomBox web interface, there is no need to login to the app separately. Other apps support using the FreedomBox user accounts via LDAP. Finally, there are some apps that manage their own user accounts separate from the accounts you have in FreedomBox. And in FreedomBox's documentation for ejabberd: > Currently, all users created through FreedomBox will be able to login to the XMPP server. So it might be same passphrase, but not automatically logged in? Or only automatically logged in if you're using JSXC from the same server, but you can still log in with the same passphrase in other clients?