It’'s quite a while since I moved to srv records for emedia.co.uk. Can you please let me know what needs changing to move back to a hostname and do I need to use the server hostname of athena.emedia.co.uk or can I still use my orignal name of im.emedia.co.uk which was a CNAME for athena.?
There is a setting for the fqdn- I think you might need to set that if you havnt already. Go to the admin console, then server properties, and set xmpp.fqdn to the correct fqdn for your server. The problem was a performance one (I remember discussing this with Gato now)- and since the fqdn can be considered a constant we can save the trouble of the lookup by setting the property. At least I think that setting this property will short-circut the DNS logic that sun uses…
If that works, Ill update the documentation accordingly.
You’'ll need to change the server name within the web console to the actual hostname.
That’‘ll change your users JID’'s, and also the names of all server components.
In terms of DNS, you’‘ll need to find the server somehow, but it doesn’'t matter how; either the server name you enter in Spark should be resolvable, or you specify a different server name/IP on the advanced tab.
However, I’‘d change this with caution, as your database will contain some references to the old JID’'s.
I’'m a little confused now. Slushpuppy, are you saying this variable will fix my current propblem using SRV records and SSO now? Looking at http://www.igniterealtime.org/issues/browse/JM-952 it seems that the xmpp.fqdn variable is only for 3.2.0 Openfire?
stupid alert!: sorry, I’'m running 3.3.1, newer than 3.20 I know
on the off chance that it was supposed to help my problem I’'ve tried again with settings as they were but with the new xmpp.fqdn proerty set to athena.emedia.co.uk.
The SSO still fails but I’'ve got different errors now.
Openfire debug.log:
2007.06.19 16:01:12 SDavis@EMEDIA.CO.UK not authorized to sdavis
2007.06.19 16:01:12 SaslException
javax.security.sasl.SaslException: Problem with callback handler [Caused by javax.security.sasl.SaslException: SDavis@EMEDIA.CO.UK is not authorized to connect as sdavis]
at com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(Unknown Source)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java:281)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:144)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:132)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:703)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:54)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:62)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:200)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:54)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:266)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:326)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.sasl.SaslException: SDavis@EMEDIA.CO.UK is not authorized to connect as sdavis
openfire error.log (following the restart of the service)
2007.06.19 16:03:09 [org.jivesoftware.openfire.sasl.AuthorizationManager.<clinit>(AuthorizationManager.java:62)
] Error loading AuthorizationProvider: org.jivesoftware.openfire.sasl.LooseAuthorizationProvider
java.lang.ClassNotFoundException: org.jivesoftware.openfire.sasl.LooseAuthorizationProvider
2007.06.19 16:03:09 [org.jivesoftware.openfire.sasl.AuthorizationManager.<clinit>(AuthorizationManager.java:62)
] Error loading AuthorizationProvider: org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider
java.lang.ClassNotFoundException: org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider
Is this progress?
Yep, that looks like an openfire.xml error on authorization.
I’'ve added the property and SSO works fine now with SRV (thanks Jay!)
D
I’'m going back and double checking my openfire.xml changes and have found a discrepancy in the docs on http://wiki.igniterealtime.org/display/WILDFIRE/Configuring+Openfire+for+Kerbero s
The example provided for the authorizatrion settings states:
<provider>
<authorization>
<classList>org.jivesoftware.openfire.sasl.LazyAuthorizationPolicy org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider</classList>
<!-- other options: null, LdapAuthorizationProvider, UnixK5LoginProvider, Strict and Lazy-->
</authorization>
</provider>
and then goes onto say in 3.3.1 Openfire you need to use: LooseAuthorizationProvider
One says LazyAuthorizationPolicy and one says LooseAuthorizationProvider
Which one should I use?
steve,
Yes, the xmpp.fqdn should fix your original issue. The new issue you are having is an authorization issue. Make sure you are using the right one- I think you need Loose and not Lazy. If one isnt working, try the other
I was using LooseAuthorizationProvider and have just tried using LazyAuthorizationPolicy and neither work, the same error occurs when the service is restarted.
2007.06.19 16:35:10 [org.jivesoftware.openfire.sasl.AuthorizationManager.<clinit>(AuthorizationManager.java:62)
] Error loading AuthorizationProvider: org.jivesoftware.openfire.sasl.LazyAuthorizationPolicy
java.lang.ClassNotFoundException: org.jivesoftware.openfire.sasl.LazyAuthorizationPolicy
2007.06.19 16:35:10 [org.jivesoftware.openfire.sasl.AuthorizationManager.<clinit>(AuthorizationManager.java:62)
] Error loading AuthorizationProvider: org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider
java.lang.ClassNotFoundException: org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider
I’‘m sure I’'m really close
Can you post your openfire.xml config? (be sure to remove any passwords that show up in it)
here you go, bits hidden where necessary:
<?xml version="1.0" encoding="UTF-8"?> <!--
This file stores bootstrap properties needed by Jive Messenger.
Property names must be in the format: "prop.name.is.blah=value"
That will be stored as:
<prop>
<name>
<is>
<blah>value</blah>
</is>
</name>
</prop> Most properties are stored in the Jive Messenger database. A
property viewer and editor is included in the admin console.
-->
<!-- root element, all properties must be under this element -->
<jive> <sasl> <mechs>GSSAPI,ANONYMOUS,PLAIN,DIGEST-MD5,CRAM-MD5,NTLM</mechs> <realm>EMEDIA.CO.UK</realm> <gssapi> <!-- GSSAPI needs its own config file --> <config>D:/Program Files/Wildfire/conf/gssapi.conf</config> <!-- most will set useSubjectCredOnly to false (the default) See http://java.sun.com/j2se/1.4.2/docs/api/org/ietf/jgss/package-summary.html for more details --> <useSubjectCredsOnly>false</useSubjectCredsOnly> <debug>true</debug> </gssapi> </sasl> <adminConsole> <!-- Disable either port by setting the value to -1 --> <port>9090</port> <securePort>9091</securePort> <!-- By default, only the user with the username "admin" can login
to the admin console. Alternatively, you can specify a comma-delimitted
list usernames that should be authorized to login by setting the
<authorizedUsernames> field below. --> <authorizedUsernames>hidden</authorizedUsernames> </adminConsole> <locale>en</locale> <ldap> <host>hidden</host> <port>389</port> <usernameField>sAMAccountName</usernameField> <nameField>displayName</nameField> <emailField>mail</emailField> <baseDN>DC=emedia;DC=co;DC=uk</baseDN> <adminDN>hidden</adminDN> <adminPassword>hidden</adminPassword> <searchFilter>(&(objectCategory=Person)(&(memberOf=CN=IM,CN=Users,DC=emedia,DC=co,DC=uk)(sAMAccountName={0})))</searchFilter> <vcard-mapping> <![CDATA[
<vCard xmlns="vcard-temp">
<N>
<GIVEN>{displayName}</GIVEN>
</N> <EMAIL>
<INTERNET></INTERNET> <USERID>{mail}</USERID>
</EMAIL> <FN>{displayName}</FN> <NICKNAME>{sAMAccountName}</NICKNAME> <ADR>
<HOME></HOME>
</ADR> <ADR>
<WORK></WORK> <STREET>{streetAddress}</STREET> <LOCALITY>{l}</LOCALITY> <REGION>{st}</REGION> <PCODE>{postalCode}</PCODE> <CTRY>{co}</CTRY>
</ADR> <TEL>
<WORK></WORK> <VOICE></VOICE> <NUMBER>{telephoneNumber}</NUMBER>
</TEL> <TEL>
<WORK></WORK> <CELL></CELL> <NUMBER>{mobile}</NUMBER>
</TEL> <TEL>
<WORK></WORK> <FAX></FAX> <NUMBER>{facsimileTelephoneNumber}</NUMBER>
</TEL> <TITLE>{title}</TITLE> <ORG>
<ORGUNIT>{department}</ORGUNIT>
</ORG>
</vCard>\]\]\></vcard-mapping> <connectionPoolEnabled>true</connectionPoolEnabled> <sslEnabled>false</sslEnabled> <ldapDebugEnabled>false</ldapDebugEnabled> <autoFollowReferrals>false</autoFollowReferrals> </ldap> <provider> <authorization> <classList>org.jivesoftware.openfire.sasl.LooseAuthorizationProvider org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider</classList> <!-- other options: null, LdapAuthorizationProvider, UnixK5LoginProvider, Strict and Lazy--> </authorization> <user> <className>org.jivesoftware.openfire.ldap.LdapUserProvider</className> </user> <auth> <className>org.jivesoftware.openfire.ldap.LdapAuthProvider</className> </auth> <vcard> <className>org.jivesoftware.openfire.ldap.LdapVCardProvider</className> </vcard> <!--<group> <className>org.jivesoftware.openfire.ldap.LdapGroupProvider</className> </group> --> </provider> <!-- End example LDAP settings --> <connectionProvider> <className>org.jivesoftware.database.DefaultConnectionProvider</className> </connectionProvider> <database> <defaultProvider> <driver>com.microsoft.jdbc.sqlserver.SQLServerDriver</driver> <serverURL>jdbc:microsoft:sqlserver://localhost:1433;databasename=hidden;SelectMethod=Cursor</serverURL> <username>hidden</username> <password>hidden</password> <minConnections>5</minConnections> <maxConnections>15</maxConnections> <connectionTimeout>1.0</connectionTimeout> </defaultProvider> </database> <setup>true</setup> <log> <debug> <enabled>true</enabled> </debug> </log> </jive>
I think you may have stumbled upon a bug, sorta. While Kerberos principals are supposed to be case sensitive (SDavis != sdavis) JID node names are case insensitive. So the Loose authorization policy should probably do a case insensitive match on username comparisons. Is there any way you can log in and get your username all lower case? My guess is it will work fine if you can manage that.
JM-1086 was opened for this.
The change was picked up quicker than I expected. My login ID is now sdavis (all lowercase) but it looks like the error is the same:
2007.06.19 17:21:55 sdavis@EMEDIA.CO.UK not authorized to sdavis
2007.06.19 17:21:55 SaslException
javax.security.sasl.SaslException: Problem with callback handler [Caused by javax.security.sasl.SaslException: sdavis@EMEDIA.CO.UK is not authorized to connect as sdavis]
at com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(Unknown Source)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java:281)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:144)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:132)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived(AbstractIoFilterChain.java:703)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:54)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimpleProtocolDecoderOutput.java:62)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:200)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:362)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:54)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:800)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:266)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:326)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.sasl.SaslException: sdavis@EMEDIA.CO.UK is not authorized to connect as sdavis
... 19 more
Hmm… Im at a loss on this one. Everything appears to be correct. In the logs it should say something about which authorization providers it loaded (or failed to load) can you paste that?
lost in the noise, I posted this earlier, this appears whenever the service is restarted but NOT when I try and login.
2007.06.19 16:03:09 [org.jivesoftware.openfire.sasl.AuthorizationManager.<clinit>(AuthorizationManager.java:62)
] Error loading AuthorizationProvider: org.jivesoftware.openfire.sasl.LooseAuthorizationProvider
java.lang.ClassNotFoundException: org.jivesoftware.openfire.sasl.LooseAuthorizationProvider
2007.06.19 16:03:09 [org.jivesoftware.openfire.sasl.AuthorizationManager.<clinit>(AuthorizationManager.java:62)
] Error loading AuthorizationProvider: org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider
java.lang.ClassNotFoundException: org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider
Ok, that is definitely the problem here. You have no authorization provider, thus the only thing that will work is an exact 1:1 match. To find out exactly what you have, take a look at the openfire.jar (in the lib directory). Winzip should be able to open this, or you can use the jar command: jar -tf openfire.jar
You are looking for what is in org/jivesoftware/openfire/sasl/ There should be a few providers there. The fact you get an error on DefaultAuthorizationProvider makes me wonder what you really have in there.
the .jar file contains:
AbstractAuthorizationProvider.class
AuthorizationManager.class
AuthorizationPolicy.class
GSSAPIAuthorizationProvider$AuthPolicy.class
GSSAPIAuthorizationProvider.class
LooseAuthorizationPolicy.class
StrictAuthorizationPolicy.class
UnixK5LoginProvider.class
There is no LazyAuthorizationPolicy or LooseAuthorizationProvider. I updated my openfire.xml with LooseAuthorizationPolicy and restarted the service.
The following error is logged BUT I GOT IN!!!
2007.06.19 17:45:57 [org.jivesoftware.openfire.sasl.AuthorizationManager.<clinit>(AuthorizationManager.java:62)
] Error loading AuthorizationProvider: org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider
java.lang.ClassNotFoundException: org.jivesoftware.openfire.sasl.DefaultAuthorizationProvider
BIG step forward Thanks for your help and patience.
Should I be concerned about this last error?
Nope- but if you want to get rid of it just remove the Default provider from the list in your openfire.xml.