Hi, I have hit problems trying to get our openfire 3.3.2 server running SSO
Server 3.3.2 running on debian linux called comms.shs.wilts.sch.uk (fqdn)
Client Spark 2.5.6 on Windows XP
KDC Windows 2003 PDC casper.shs.wilts.sch.uk
xmpp user acct xmpp-comms
I have read the wiki and followed that thorugh, and looking at other posts, i think i’ve done everything correctly. However, When i login via spark, i am getting “unable to connect using Single Sign-On. Please Check you princple and server settings”
Obviously I’ve missed something, can anyone spot it? thanks
The princlple was created on the KDC/PDC 2003 server using ktpass -princ xmpp/comms.shs.wilts.sch.uk@SHS.WILTS.SCH.UK -mapuser xmpp-comms@shs.wilts.sch.uk and copied to /opt/openfire/conf/
gss.conf contains
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="/opt/openfire/conf/jabber.keytab"
doNotPrompt=true
useKeyTab=true
realm=“SHS.WILTS.SCH.UK”
principal="xmpp/comms.shs.wilts.sch.uk@SHS.WILTS.SCH.UK"
debug=true;
};
my klist is
Default principal: AWOOKEY@SHS.WILTS.SCH.UK
Valid starting Expires Service principal
08/29/07 13:13:05 08/29/07 23:13:07 krbtgt/SHS.WILTS.SCH.UK@SHS.WILTS.SCH.UK
renew until 08/30/07 13:13:05
Kerberos 4 ticket cache: /tmp/tkt0
my openfire.xml is
<?xml version=“1.0” encoding=“UTF-8”?>
<!–
This file stores bootstrap properties needed by Openfire.
Property names must be in the format: “prop.name.is.blah=value”
That will be stored as:
<prop>
<name>
<is>
<blah>value</blah>
</is>
</name>
</prop>
Most properties are stored in the Openfire database. A
property viewer and editor is included in the admin console.
–>
<!-- root element, all properties must be under this element -->
<jive>
<adminConsole>
<!-- Disable either port by setting the value to -1 -->
<port>9090</port>
<securePort>9091</securePort>
</adminConsole>
<admin>
<!-- Use this section to define users that will have admin privileges. Below,
you will find two ways to specify which users are admins. Admins will
have access to the admin console (only local users) and may have also access
to other functionalities like ad-hoc commands. -->
<!-- By default, only the user with the username “admin” can login
to the admin console. Alternatively, you can specify a comma-delimitted
list usernames that should be authorized to login to the admin console
by setting the <authorizedUsernames> field below. -->
<!-- <authorizedUsernames></authorizedUsernames> -->
<!-- Comma-delimitted list of bare JIDs. The JIDs may belong to local
or remote users. -->
<!-- <authorizedJIDs></authorizedJIDs> -->
<authorizedUsernames>aw,matt</authorizedUsernames>
</admin>
<locale>en</locale>
<!-- Network settings. By default, Openfire will bind to all network interfaces.
Alternatively, you can specify a specific network interfaces that the server
will listen on. For example, 127.0.0.1. This setting is generally only useful
on multi-homed servers. -->
<!–
<network>
<interface></interface>
</network>
–>
<connectionProvider>
<className>org.jivesoftware.database.DefaultConnectionProvider</classN ame>
</connectionProvider>
<database>
<defaultProvider>
<driver>com.mysql.jdbc.Driver</driver>
<serverURL>jdbc:mysql://10.4.136.50:3306/wildfire</serverURL>
<username>wilduser</username>
<password>xxxx</password>
<minConnections>5</minConnections>
<maxConnections>15</maxConnections>
<connectionTimeout>1.0</connectionTimeout>
</defaultProvider>
</database>
<ldap>
<host>casper.shs.wilts.sch.uk</host>
<port>389</port>
<baseDN>OU=Teachers,DC=shs,DC=wilts,DC=sch,DC=uk</baseDN>
<adminDN>CN=A Wookey,OU=Support Staff,OU=Teachers,DC=shs,DC=wilts,DC=sch,DC=uk</adminDN>
<adminPassword>xxxx</adminPassword>
<connectionPoolEnabled>true</connectionPoolEnabled>
<sslEnabled>false</sslEnabled>
<ldapDebugEnabled>false</ldapDebugEnabled>
<autoFollowReferrals>false</autoFollowReferrals>
<usernameField>sAMAccountName</usernameField>
<searchFilter>(objectClass=organizationalPerson)</searchFilter>
<vcard-mapping><![CDATA[
<vCard xmlns=“vcard-temp”>
<N>
<GIVEN></GIVEN>
</N>
<EMAIL>
<INTERNET/>
<USERID></USERID>
</EMAIL>
<FN></FN>
<ADR>
<HOME/>
<STREET></STREET>
<PCODE></PCODE>
<CTRY></CTRY>
</ADR> <ADR>
<WORK/> <STREET></STREET> <LOCALITY></LOCALITY> <REGION></REGION> <PCODE></PCODE> <CTRY></CTRY>
</ADR>
<TEL>
<HOME/>
<VOICE/>
<NUMBER></NUMBER>
</TEL>
<TEL>
<HOME/>
<CELL/>
<NUMBER></NUMBER>
</TEL> <TEL>
<WORK/> <VOICE/> <NUMBER></NUMBER>
</TEL> <TEL>
<WORK/> <CELL/> <NUMBER></NUMBER>
</TEL>
<TEL>
<WORK/>
<FAX/>
<NUMBER></NUMBER>
</TEL>
<TEL>
<WORK/>
<PAGER/>
<NUMBER></NUMBER>
</TEL>
<TITLE></TITLE>
<ORG>
<ORGUNIT></ORGUNIT>
</ORG>
</vCard>]]></vcard-mapping>
<nameField>cn</nameField>
<emailField>mail</emailField>
<groupNameField>cn</groupNameField>
<groupMemberField>member</groupMemberField>
<groupDescriptionField>description</groupDescriptionField>
<posixMode>false</posixMode>
<groupSearchFilter>(objectClass=group)</groupSearchFilter>
</ldap>
<provider>
<authorization>
<classList>org.jivesoftware.openfire.sasl.LooseAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider</classList>
<!-- other options: null, LdapAuthorizationProvider, UnixK5LoginProvider, Strict and Lazy–>
</authorization>
<vcard>
<className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className >
</vcard>
<user>
<className>org.jivesoftware.openfire.ldap.LdapUserProvider</className& gt;
</user>
<auth>
<className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className& gt;
</auth>
<group>
<className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className >
</group>
</provider>
<setup>true</setup>
<!-- sasl configuration -->
<sasl>
<!-- Include a comma-separated list of the authentication mechanisms
to advertise support for to clients. Make sure GSSAPI is listed,
and best if it’s listed first. The order of mechanisms is important;
clients should try to use the first mechanism they support
(although not all will). Some clients will try to use the most
secure first.
You can add other mechanisms in order to support non-GSSAPI clients,
or clients who cannot authenticate to the realm (like Windows 9X,
off-site, and so on). Keep in mind that by allowing other mechanisms
you are compromising the security of your realm. Be sure to talk
to the Security Officer/Directory/Manager/Administrator about any
policies your organization might have before enabling less secure
mechanisms. By removing PLAIN and ANONYMOUS from the list, you will
also disable non-SASL authentications.
Keep in mind that a mechanism listed here might not actually be
advertised, such as when the authProvider can’t support the mechanism.
PLAIN and ANONYMOUS mechanisms also enable non-SASL authentication
(the old style XMPP auth), so removing them from this list will
disallow non-SASL authentication. -->
<mechs>GSSAPI</mechs>
<!-- <mechs>CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL,ANONYMOUS</mechs> -->
<!-- Specify the realm you used when you created the service principal
and keytab.–>
<realm>SHS.WILTS.SCH.UK</realm>
<!-- Mechanism-specific configuration here -->
<gssapi>
<!-- Use true to turn on debugging information. This adds a lot
of noise to your log files, but it can help you spot problems
sooner in the initial setup. -->
<debug>true</debug>
<!-- Specify the location of the GSSAPI configuration file you edited. -->
<config>/opt/openfire/conf/gss.conf</config>
<!-- Sets the system property with the same name. You’ll probably want
“false” here (the default). For more details, see
http://java.sun.com/j2se/1.4.2/docs/api/org/ietf/jgss/package-summary.html -->
<useSubjectCredsOnly>false</useSubjectCredsOnly>
</gssapi>
</sasl>
<log>
<debug>
<enabled>true</enabled>
</debug>
</log>
</jive>