Openfire SSO Configuration

Openfire Openfire Support
#1

Hi guys,

I’m setting a Openfire 3.10.1 server in Redhat 6.4 use SSO and Kerberos authentication. My client is CentOS 6.4. I followed the instruction from Openfire: Enable Single Sign On (SSO) on Linux - Spiceworks and https://www.redhat.com/archives/freeipa-users/2012-February/msg00085.html

Now here is my configure file:

the gss.conf configure file:

xmpp ODW [/opt/openfire/conf] 815# cat gss.conf

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule

required

storeKey=true

keyTab="/opt/openfire/keytab/krb5.xmpp.keytab"

doNotPrompt=true

useKeyTab=true

realm=“DOMAIN.COM

principal="xmpp/xmpp.domain.name@DOMAIN.COM"

useFirstPass=true

debug=true;

isInitiator=false;

};

These settings used to be saved in the openfire.xml file. But now its in the server database

sasl.gssapi.config /opt/openfire/conf/gss.conf

sasl.gssapi.debug true

sasl.gssapi.useSubjectCredsOnly false

sasl.mechs GSSAPI

sasl.realm DOMAIN.com

xmpp.domain xmpp.domain.com

xmpp.fqdn xmpp.domain.com

Keytab file put in /opt/openfire/keytab/krb5.xmpp.keytab

Use kinit -k -t /opt/openfire/keytab/krb5.xmpp.keytab xmpp/xmpp.domain.name@DOMAIN.NAME -V get the output:

Using default cache: /tmp/krb5cc_0.1

Using principal: xmpp/xmpp.domain.name@DOMAIN.COM

Using keytab: /opt/openfire/keytab/krb5.xmpp.keytab

Authenticated to Kerberos v5

In my client I use Pidgin Pidgin 2.10.11 and enabled cyrus-sasl. When launch pidgin client in my workstation as debug module, I can see successfully verified certificate from server. And I just need setup my username and domain name, it will not let me input the password, and in my client use klist command, I can see I got the ticket from openfire server. But it has an error is : server closed the connection. Then I checked the log in server error.log, there is an error message:

2015.06.26 19:13:51 org.jivesoftware.openfire.nio.ConnectionHandler - Closing connection due to error while processing message: long token

java.lang.SecurityException: Configuration Error:

Line 11: expected [controlFlag]

at com.sun.security.auth.login.ConfigFile.(Unknown Source)

at sun.reflect.GeneratedConstructorAccessor52.newInstance(Unknown Source)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

at java.lang.reflect.Constructor.newInstance(Unknown Source)

at java.lang.Class.newInstance(Unknown Source)

at javax.security.auth.login.Configuration$2.run(Unknown Source)

at javax.security.auth.login.Configuration$2.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.Configuration.getConfiguration(Unknown Source)

at sun.security.jgss.LoginConfigImpl$1.run(Unknown Source)

at sun.security.jgss.LoginConfigImpl$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.jgss.LoginConfigImpl.(Unknown Source)

at sun.security.jgss.GSSUtil.login(Unknown Source)

at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Unknown Source)

at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Unknown Source)

at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)

at com.sun.security.sasl.gsskerb.GssKrb5Server.(Unknown Source)

at com.sun.security.sasl.gsskerb.FactoryImpl.createSaslServer(Unknown Source)

at javax.security.sasl.Sasl.createSaslServer(Unknown Source)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :277)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:173)

I suspect it maybe is the Java version problem, so I downloaded Java 1.7.0_79 replace the Java version which come from openfire. But still get the same error, I don’t know which configure is wrong, is anyone have suggestion with it?

Thanks.

1 Like
#2

I did many search in Google, but didn’t find how to fix this, anybody can help?

#3

Okay, it took me two or three days. Then I give up, after I downgrade to 3.9.3, then everything are works well. SO!!! I think it’s there is bug in 3.10.1 version?

#4

have you tried 3.10.2? If I remember correctly, some clients used sslv2 hello, which was disabled in 3.10 and 3.10.1, but was restored in 3.10.2.

#5

I haven’t, when I installing 3.10.1, 3.10.2 haven’t release yet, I’ll try later. Have you tested 3.10.2 with SSO?

#6

yes, using it now in production