powered by Jive Software

Single Sign On on linux

I have searched the forums and there appears that there once was a nice “howto” on how to configure SSO on linux in the wiki. As the wiki no longer exist, does anyone know where I can find some documentation to configure SSO on openfire 3.6.4 running on debian with a mysql db and authenticating against W2k3 active directory?

-daggg

google is your friend

http://andy.roon.us/?p=1

that appears to be a good article.

This is also pretty much exactly my setup so I will give some details on what I did, especially since I could never really find a guide to match my setup when I did this. These are my notes and I wrote these while making sure I could reproduce my sso setup.

  • on debian server install krb5-config and krb5-client and samba (for time syncing)
  • sync time between your dc: net time set server=yourdc.fqdn.com
  • edit /etc/krb5.conf to look like the attached
  • create a keytab on the dc using notes below
  • copy the keytab to your linux machine and put in the openfire dir /opt/openfire/resources/
  • edit openfire.xml with the attached edits
  • create gss.conf to match the attached

I also changed settings to remove my domain information so you will need to edit for your environment

keytab creation

first create a new domain user (openfire_username)

on your dc run the command setspn -l openfire_username

if any keytabs exist for the user delete them with setspn -d xmpp/debian.f.q.d.n openfire_username

I couldn’t get this to work with the w2k3 ktpass tool and downloaded the one from 2000 server

ktpass -princ xmpp/debian.f.q.d.n@MY.DOMAIN.COM -mapuser openfire_username -pass PASSWORD -out unique_filename

in the above, debian.f.q.d.n is the fqdn of your linux server. and in my attached files, case does matter.

After that I used the spark.properties on my client machine to replace the existing spark.properties and then started spark up and am able to connect.

I make no guarantees that this will work for you. My openfire server is 3.5.1 and I am running debian etch. for kerberos, time is crucial as is dns entries. so the time on the server should be very close to your dc (thats why I sync it with cron daily). I also couldn’t get this to work when I had multiple dns names pointing to the same machine.

Hope it helps.
server_krb5.conf.zip (752 Bytes)
gss.conf.zip (332 Bytes)
openfire.xml.zip (1414 Bytes)
spark.properties.zip (655 Bytes)

Thanks for the reply. Did you need to add the Openfire server to domain?

-dagg

I did not. Its a trivial step beyond this config since I have several other debian servers joined to the domain. Its not needed for this configuration. The keytab is what allows the kerberos authentication to be successful. It has also been said that you should protect that file because of that (ie…don’t just leaving it in random unprotected folders)

Followed your instructions. When I add the entries into the openfire.xml file I am unable to login at all. I don’t think I am editing right. I just pasted everything from your file into mine and then changed the necessary paramaters as my file didn’t look anything like yours.

-daggg

are you getting any errors in the logs and when you say you can’t login, is that spark and web administration? what version of openfire are you using? I have been playing around with upgrading my environment but haven’t had a real chance to try it. I could give it a try depending on your version.

I am using openfire version 3.6.4. FYI the location of the files on version 3.6.4 on debain are /usr/share/openfire. I believe I installed using the deb package though. What logs are you taking about? Are you talking about logs in the admin console or logs in /var/log. Incidently is that your complete openfire.xml?

my xml was was only additional parts. you need to merge that with yours. if the section exists just modify it. I was talking about the openfire logs, I am guessing /usr/share/openfire/logs ? and like I said above my configs are from 3.5.1 and I haven’t tested it above that

I apologize for not getting back sooner. I don’t see anything in the logs that would indicate a problem. Have you had a chance to try this on openfire 3.6.4?