powered by Jive Software

Openfire+IPA+SSO+Pidgin

I use IPA(FreeIPA.org) server with LDAP + Kerberos5.

----- Debug ------------------------------------------------------------------------------- -----

2012.04.23 14:35:52 org.jivesoftware.openfire.auth.AuthorizationManager - AuthorizationManager: Trying Default Policy.authorize(evgeniy , evgeniy@FM.LOCAL)

2012.04.23 14:35:52 org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy - DefaultAuthorizationPolicy: Checking authenID realm

2012.04.23 14:35:52 org.jivesoftware.openfire.net.SASLAuthentication - SASLAuthentication: SaslException

javax.security.sasl.SaslException: Problem with callback handler [Caused by javax.security.sasl.SaslException: evgeniy@FM.LOCAL is not authorized to connect as evgeniy@FM.LOCAL]

at com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(GssKrb5Server.java:292 )

at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java :131)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :325)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:183)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:169)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.common.IoFilterAdapter.messageReceived(IoFilterAdapter.java:80)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:185)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 886)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)

at java.lang.Thread.run(Thread.java:662)

Caused by: javax.security.sasl.SaslException: evgeniy@FM.LOCAL is not authorized to connect as evgeniy@FM.LOCAL

at com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(GssKrb5Server.java:284 )

… 23 more


In info.log no problem…

root@xmpp01:/etc/openfire# cat gss.conf

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

principal=“xmpp/xmpp01.fm.local@FM.LOCAL”

keyTab="/etc/openfire/xmpp.keytab"

doNotPrompt=true

storeKey=true

useKeyTab=true

isInitiator=false

debug=true;

};

root@xmpp01:/etc/openfire# cat openfire.xml

<?xml version="1.0" encoding="UTF-8"?>

9090

9091

ru_RU

org.jivesoftware.database.DefaultConnectionProvider

com.mysql.jdbc.Driver

jdbc:mysql://localhost:3306/openfire

openfire

xxxxxxxxxxxxx

select 1

true

true

5

25

1.0

true

root@xmpp01:/etc/openfire# klist -ekt /etc/openfire/xmpp.keytab

Keytab name: WRFILE:/etc/openfire/xmpp.keytab

KVNO Timestamp Principal


1 04/23/12 14:26:15 xmpp/xmpp01.fm.local@FM.LOCAL (Triple DES cbc mode with HMAC/sha1)

kinit -kt /etc/openfire/xmpp.keytab xmpp/xmpp01.fm.local - Work


config


ldap.authorizeField krbPrincipalName

ldap.autoFollowAliasReferrals true

ldap.autoFollowReferrals false

ldap.baseDN cn=accounts,dc=fm,dc=local

ldap.connectionPoolEnabled true

ldap.debugEnabled true

ldap.emailField mail

ldap.encloseDNs true

ldap.groupDescriptionField description

ldap.groupMemberField member

ldap.groupNameField cn

ldap.groupSearchFilter (objectClass=posixGroup)

ldap.host ds01.fm.local

ldap.ldapDebugEnabled true

ldap.nameField cn

ldap.override.avatar true

ldap.port 389

ldap.posixMode false

ldap.searchFields Username/uid,Name/cn,Email/mail

ldap.searchFilter (objectClass=person)

ldap.sslEnabled false

ldap.usernameField uid

ldap.vcard-mapping …

plugin.search.excludedFields

plugin.search.serviceEnabled true

plugin.search.serviceName search

provider.auth.className org.jivesoftware.openfire.ldap.LdapAuthProvider

provider.authorization.classList org.jivesoftware.openfire.ldap.LdapAuthorizationPolicy org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy

provider.group.className org.jivesoftware.openfire.ldap.LdapGroupProvider

provider.user.className org.jivesoftware.openfire.ldap.LdapUserProvider

provider.vcard.className org.jivesoftware.openfire.ldap.LdapVCardProvider

register.inband true

register.password hidden

sasl.gssapi.config /etc/openfire/gss.conf

sasl.gssapi.debug true

sasl.gssapi.useSubjectCredsOnly false

sasl.mechs GSSAPI,PLAIN

update.lastCheck 1335035333218

xmpp.auth.anonymous false

xmpp.client.tls.policy optional

xmpp.domain fm.local

xmpp.fqdn xmpp01.fm.local

xmpp.server.certificate.accept-selfsigned false

xmpp.server.dialback.enabled true

xmpp.server.socket.active true

xmpp.server.tls.enabled true

xmpp.session.conflict-limit 0

xmpp.socket.ssl.active true

In my testing the only way to get this to work was to connect using the fqdn of the openfire server. I’m still trying to figure out how to connect to the xmpp domain instead of the fqdn.

Derek