Openfire with Kerberos and LDAP

Openfire Openfire Support
1

Hi all,

I’ve been trying to setup Openfire for a few days now and I’m having a problem with authentication using ldap and kerberos. I’ve followed the SSO Configuration guide, but once that is done, I’m unable to connect to openfire using pidgin and my kerberos ID and password.

Here’s the provider section of my configuration file:

/code

And the SASL section:

/code

My final goal would be to use Kerberos for authentication and LDAP for vcards and groups. I’m not really interested in SSO since most clients don’t use it, but I would like to authenticate against the Kerberos server.

Also, I should mention that the above works with the Spark client and SSO, so it appears that is setup correctly.

I would appreciate any help or suggestions people may have for me to get this working?

2

What OS are your clients running on? Do you see anything in the warn.log on your Openfire server?

Poppa

3

The clients I’m testing with are running on Linux. Although, once this goes live, there will also be Windows clients.

With Kopete, I see the following in the warn.log:

2007.12.10 22:10:00 User tried to authenticate with this server using an unknown receipient:

/code

And I don’t see anything in the debug.log

When I use Pidgin I don’t see anything in the warn.log and I see the following in the debug.log:

2007.12.10 22:04:56 XMPPCallbackHandler: RealmCallback: server_fqdn

2007.12.10 22:04:56 XMPPCallbackHandler: NameCallback: username

2007.12.10 22:04:56 SASLAuthentication: SaslException

javax.security.sasl.SaslException: DIGEST-MD5: IO error acquiring password Caused by java.io.IOException: org.jivesoftware.openfire.user.UserNotFoundException: mrunciem

at com.sun.security.sasl.digest.DigestMD5Server.validateClientResponse(DigestMD5Se rver.java:577)

at com.sun.security.sasl.digest.DigestMD5Server.evaluateResponse(DigestMD5Server.j ava:226)

at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :280)

at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:156)

at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:132)

at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)

at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:162)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :240)

at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:284)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 650)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)

at java.lang.Thread.run(Thread.java:595)

Caused by: java.io.IOException: org.jivesoftware.openfire.user.UserNotFoundException: username

at org.jivesoftware.openfire.net.XMPPCallbackHandler.handle(XMPPCallbackHandler.ja va:75)

at com.sun.security.sasl.digest.DigestMD5Server.validateClientResponse(DigestMD5Se rver.java:568)

… 18 more

/code

Thanks!

4

Hmm, not to familar with linux as clients. However, are all your linux clients bound to your Active Directory? They might need to be to use Windows Keberos services.

Poppa

5

We’re not using Active Directory, we’re using OpenLDAP. Basically we have very few Windows computers on our network. Mostly everything is Linux.

I’ve managed to get authentication to happen against our LDAP server, which in turn talks to the Kerberos server for authentication. So that is OK for now. But ideally, we’d like to just authenticate against the Kerberos server directly rather than going through the LDAP server.