I use IPA(FreeIPA.org) server with LDAP + Kerberos5.
----- Debug ------------------------------------------------------------------------------- -----
2012.04.23 14:35:52 org.jivesoftware.openfire.auth.AuthorizationManager - AuthorizationManager: Trying Default Policy.authorize(evgeniy , evgeniy@FM.LOCAL)
2012.04.23 14:35:52 org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy - DefaultAuthorizationPolicy: Checking authenID realm
2012.04.23 14:35:52 org.jivesoftware.openfire.net.SASLAuthentication - SASLAuthentication: SaslException
javax.security.sasl.SaslException: Problem with callback handler [Caused by javax.security.sasl.SaslException: evgeniy@FM.LOCAL is not authorized to connect as evgeniy@FM.LOCAL]
at com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(GssKrb5Server.java:292 )
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java :131)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :325)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:183)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:169)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.common.IoFilterAdapter.messageReceived(IoFilterAdapter.java:80)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:185)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.security.sasl.SaslException: evgeniy@FM.LOCAL is not authorized to connect as evgeniy@FM.LOCAL
at com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(GssKrb5Server.java:284 )
… 23 more
In info.log no problem…
root@xmpp01:/etc/openfire# cat gss.conf
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
principal=“xmpp/xmpp01.fm.local@FM.LOCAL”
keyTab="/etc/openfire/xmpp.keytab"
doNotPrompt=true
storeKey=true
useKeyTab=true
isInitiator=false
debug=true;
};
root@xmpp01:/etc/openfire# cat openfire.xml
<?xml version="1.0" encoding="UTF-8"?>9090
9091
ru_RU
org.jivesoftware.database.DefaultConnectionProvider
com.mysql.jdbc.Driver
jdbc:mysql://localhost:3306/openfire
openfire
xxxxxxxxxxxxx
select 1
true
true
5
25
1.0
true
root@xmpp01:/etc/openfire# klist -ekt /etc/openfire/xmpp.keytab
Keytab name: WRFILE:/etc/openfire/xmpp.keytab
KVNO Timestamp Principal
1 04/23/12 14:26:15 xmpp/xmpp01.fm.local@FM.LOCAL (Triple DES cbc mode with HMAC/sha1)
kinit -kt /etc/openfire/xmpp.keytab xmpp/xmpp01.fm.local - Work
config
ldap.authorizeField krbPrincipalName
ldap.autoFollowAliasReferrals true
ldap.autoFollowReferrals false
ldap.baseDN cn=accounts,dc=fm,dc=local
ldap.connectionPoolEnabled true
ldap.debugEnabled true
ldap.emailField mail
ldap.encloseDNs true
ldap.groupDescriptionField description
ldap.groupMemberField member
ldap.groupNameField cn
ldap.groupSearchFilter (objectClass=posixGroup)
ldap.host ds01.fm.local
ldap.ldapDebugEnabled true
ldap.nameField cn
ldap.override.avatar true
ldap.port 389
ldap.posixMode false
ldap.searchFields Username/uid,Name/cn,Email/mail
ldap.searchFilter (objectClass=person)
ldap.sslEnabled false
ldap.usernameField uid
ldap.vcard-mapping …
plugin.search.excludedFields
plugin.search.serviceEnabled true
plugin.search.serviceName search
provider.auth.className org.jivesoftware.openfire.ldap.LdapAuthProvider
provider.authorization.classList org.jivesoftware.openfire.ldap.LdapAuthorizationPolicy org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy
provider.group.className org.jivesoftware.openfire.ldap.LdapGroupProvider
provider.user.className org.jivesoftware.openfire.ldap.LdapUserProvider
provider.vcard.className org.jivesoftware.openfire.ldap.LdapVCardProvider
register.inband true
register.password hidden
sasl.gssapi.config /etc/openfire/gss.conf
sasl.gssapi.debug true
sasl.gssapi.useSubjectCredsOnly false
sasl.mechs GSSAPI,PLAIN
update.lastCheck 1335035333218
xmpp.auth.anonymous false
xmpp.client.tls.policy optional
xmpp.domain fm.local
xmpp.fqdn xmpp01.fm.local
xmpp.server.certificate.accept-selfsigned false
xmpp.server.dialback.enabled true
xmpp.server.socket.active true
xmpp.server.tls.enabled true
xmpp.session.conflict-limit 0
xmpp.socket.ssl.active true