Hi folks,
This is pretty much the same problem that I’m working on, except that I’m running Openfire 3.7.0 on Debian GNU/Linux squeeze and want to allow Kerberos users to authenticate and gain access. These users also run Debian squeeze on their workstations and prefer to use the Pidgin IM client using XMPP.
My feeling is that I’m close to getting it all working. I started by following these instructions. The first part of this seems to be what I need (no additional MIT software necessary):
Stanford University IT Lab Blog - Openfire and Kerberos implementation notes
http://itlab.stanford.edu/blog/archives/2009/test-services/openfire-and-kerberos -implementation-notes
Currently, when the Pidgin client attempts to contact the Openfire server, it first acquires a Kerberos XMPP ticket, which is encouraging, but is then asked for a password, which IMO should not happen. It would seem that my Openfire server is ignoring its Kerberos configuration, causing the client to revert to SSL (I think).
The guys at Stanford got SSO to run using Openfire 3.5.2 and are now running 3.6.4. I don’t know if 3.7.0 is siginificantly different in this respect. At any rate, they say they have no problems working with Pidgin.
In my case, after installing Openfire 3.7.0 and feeding it the Stanford configuration mentioned above (their “Initial Kerberos Setup”), but of course with my own host and realm names, I will login to the admin console and see that the following server preferences have been set:
sasl.gssapi.config /etc/openfire/gss.conf
sasl.gssapi.debug true
sasl.mechs GSSAPI
update.lastCheck 1306240531243
xmpp.auth.anonymous true
Am I missing any preferences that must be added to the database manually?
Openfire’s behavior is sometimes curious in that it will occasionally delete information from its openfire.xml file with no explanation. It may consider those settings to be redundant, or prefer to store them in its database instead. It may also be ignoring other openfire.xml preferences, but there’s nothing about any of this in the Openfire logs. If only I could find some documentation on this subject.
Also, despite various debug options being set to “on”, Openfire generates remarkably little log output, so it’s hard to know what’s going on. The only indication it gives that something is amis when my Pidgin client’s Kerberos authentication fails, is this message in the info.log file:
User Login Failed. Failure to initialize security context
What does this mean? That it failed to process /etc/openfire/gss.conf properly, or to read the keytab?
Any help would be appreciated.
Thanks,
Jaap