Configuring Ejabberd with PAM Authentication for specific group

Quick Tutorial because I had to figure this out on my own and it took a while to get everything working in the correct way.

OS Debian Jessie, Ejabberd 14.07

1. service ejabberd stop
2. edit /etc/ejabberd/ejabberd.yml

##
## Authentication using PAM
##
auth_method: pam
pam_service: "ejabberd"

!!!DO NOT FORGET TO DISABLE auth_method: internal further up the config!!!
 3. nano /etc/login.group.allowed (you can name that file w/e you want)

     users (in my case the group is called users)

 4. nano /etc/pam.d/ejabberd

#%PAM-1.0
auth       include  common-password
account    required pam_listfile.so item=group sense=allow file=/etc/login.group.allowed onerr=fail
account    include  common-password

 5. service ejabberd start

 6. Don't forget that the user ejabberd needs to have access to the shadow file, so you might have to create a shadow group and chroot /etc/shadow to allow access