A new feature of ejabberd 2 is built-in PAM support.  This can make adding
jabber service with ejabberd to a simple server as easy as adding mail service
is with dovecot.

I'm not sure the best way to include all the bits here, so I'll attach a patch
for the .spec and mention other changes. For ejabberd.cfg:

-%%{pam_service, "pamservicename"}.
+%%{pam_service, "ejabberd"}.

and an ejabberd.pam file for SOURCES:

#%PAM-1.0
auth       include      system-auth
account    include      system-auth

I would not suggest uncommenting this by default as the administrator ought to
consider the security implications.  It might even be wise to make a note that
TLS really ought to be enabled before doing this, though we don't prevent people
from shooting themselves in the foot with, e.g. dovecot with plain IMAP.

Things I haven't addressed here:
1. Whether the PAM file is appropriate.  It works, but did I forget something
important?  Is there a way to limit UID's < 500 in pam files?  Authentication tries?
2. Any SELinux stuffs.
3. Somebody sanity check the priv/bin/epam permissions.  I followed the advice
from the ejabberd manual for secure use (oh, this is the privilege separation
thingy).

And all the things I didn't think to think of.  However, functionally, this does
appear to work as advertised on my server.  No user registration is required,
and only valid passwords authenticate.