Single Sign On

Jay · June 29, 2006, 3:28pm

Its in there (subversion). So, who is brave? Im looking for a few good test envrionments. Ive had a few people test for me, with moderate success, and my tests all went well. This code is very very new. There are a bunch of test senarios that have not yet been tested, and thats what I could use some help with. These really should be test envrionments and not production envrionments. That said, here is what Im looking for:

Linux envrionment, MIT Kerberos
Linux envrionment, Heimdal Kerberos
Windows 2003 Active Directory envrionment
Windows 2000 Active Directory envrionment
Mixed Linux/Windows envrionment, MIT Kerberos
Mixed Linux/Windows envrionment, Heimdal Kerberos
Mixed Linux/Windows envrionment, Windows AD as KDC

Some knoledge of Kerberos and/or Active Directory will be required, as well as some administrative abilities. You will need to create new users and principals, a keytab, and access to logs on the various servers. I cant really provide one-on-one support for many more people than Ive been working with already, so no private messages on the subject please. Lets keep the discussion in the fourms.

I am in the process of writing documentation on how to use this, so if you are interested, able, and have one of the envrionments listed above, describe your envrionment here so I can make sure the documentation addresses it properly.

wienczny · June 29, 2006, 8:35pm

Hi,

I’'d like to test wildfire with mit-kerberos and different clients. Could you please post some instructions on setting up kerberos?

Especially which kerberos principal the server uses, where it gets its realm name from and where to put the keytab.

Stephan

Jay · June 29, 2006, 8:55pm

Stephan,

The service principal needs to match the DNS hostname of the server with a service of xmpp. For example, if your hostname was server04.example.com and your realm was EXAMPLE.COM, the service principal would need to be xmpp/server04.example.com@EXAMPLE.COM

Since its a good idea to have wildfire run as a normal user and not root, you will want to put this in a different keytab that user has permessions to. Ive been using /opt/wildfire/resources/krb5.keytab lately.

wienczny · June 29, 2006, 9:08pm

Hi,

where do I configure the path to the keytab? Is /opt/wildfire/resources/krb5.keytab a standard path?

Do you have a list of clients that are known to work?

Stephan Wienczny

Jay · June 29, 2006, 9:19pm

Its in the docs Im writing!

Ok, here it is with minimal explanation. Add this to your wildfire.xml:

/code

Then, make a new file /opt/wildfire/conf/gssapi.conf that looks like this:

/**

Login Configuration for JAAS.

*/

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule required storeKey=true keyTab="/opt/wildfire/resources/krb5.keytab" doNotPrompt=true useKeyTab=true realm=“EXAMPLE.COM” principal=“xmpp/hostname.example.com@EXAMPLE.COM” debug=true;

};

/code

As far as clients go… not much yet. Gaim 2.0 should have support, but Ive never tested. The Spark changes should be showing up soon. I have a Smack library and test application to verify things are working, and Spark will end up using this.

Things to keep in mind, Java 1.5 dosnt support AES encryption, you need java 1.6 (beta) for that. If you want advanced encryption (with MIT kerberos, you most likely do) you need to get the JCE from java that has unlimited encryption support. Its on the same download page as Java itself (at the bottom of the list of things)