Kerberos authentication with custom user integration

Has anyone successfully implemented Kerberos authentication and a custom user database integration? I’ve been following the documentation located here: ration-guide.html (the “User Integration” section), however, it says that in order to perform custom user integration with your own database, you must also enable custom authentication integration.

We’d like to authenticate via Kerberos on an AD domain, however, load the vcard data with data in a custom MySQL database. The data in the database is fed by an HR system and would be the current data for the employees.

If anyone has successfully implemented this, would you mind posting pieces of your config? Thanks!

that doc is not applicable to your needs. you for kerberous authentication you need to be authenticating against an authentication server. your custom database does not fit this bill. it probably does not have your Active Directory passwords in it for one, and that is a big one.

Right - for Kerberos authentication I’d be following the doc here: (skipping the SSO configuration for now). Correct me where I am wrong, but that just takes care of the authentication/authorization piece. Next will be pulling the data for the users/vcards… for that I was hoping to utilize the custom user integration documentation to allow Openfire to query our internal employee MySQL database.

Your user integration is part of the authentication integration. I do not think you can separate the 2 especially and get kerberos to work. You should have all the data you need in your AD system to fill a vCard correctly. If not there are many products on the market that give the user control to fix this. On is Directory Update. We have deployed this with great success. It can even be preconfigured to have pulldowns with accepted answers.

Unfortunately, the AD environment that we are integrating with has very little user data. The data is stored in a seperate LDAP database. I’m not quite sure why it has been split this way, it perhaps has something to do with the management (there are tens of thousands of users… we’re just a small department implementing this). Thanks for the info… if it can’t be done (you mentioned that you didn’t think the two could be seperated), we’ll have to find another method of combining the two data sources.


What you are looking to do might be possible, but has not been done yet. Basicly, you are talking about authorization and authentication separation, which Openfire’s API has good support for, but is little leveraged since in most cases it would be confusing to do so. I would be willing to work on this as a consulting project- if you are interested and want to discuss some details, send me a private message. Without more information on what you want to do, it would be hard to say what can be done.