powered by Jive Software

SSO Optimizations

I finally got sso working but have some questions.

should I be using this:

<code>&lt;authorization&gt;       &lt;classList&gt;org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy&lt;/classList&gt;     </code>

</authorization> I am currently using LooseAuth… and using openfire 3.3.1. My next question/problem is when I take my laptop home try to connect it doesn’t work when connected over vpn, I have to reauthenticate myself (doing a runas) and then it works. So I am guessing this is because I no longer have a cached kerberos ticket on my laptop. Is there anything that can be changed with this<mechs>GSSAPI</mechs> because I know it mentioned other options besides gssapi, I just didn’t understand what the other options will do. I have looked at the ntlmmod but my openfire runs on linux. Any help is greatly appreciated.

In the newer versions of openfire you can skip the authorization stanza in the xml config entirely unless you need something specific. In fact I recommend doing so in case the default provider class needs to change in the future.

The GSSAPI method requires an active, valid ticket. Which means your system must be able to obtain such a ticket. If you connect via vpn, there might be a way to get windows to obtain a ticket- but that depends on how things are set up for you. In the absence of a ticket, you will need to connect with some other mechanism. This is what you set in the sasl mechs section of the xml config. You can add PLAIN if you wish- which will allow logins with a simple password (the password coming from the other providers you configured, ldap, database, whatever)

yeah, thats what I was figuring about the ticket. opening a file share, net use, connecting to exchange, or locking the screen and unlocking after vpn is connected all renew the ticket and I can log on with no problems. Now I just need to automate a way to renew a ticket for the user without them knowing or having to do any interaction.

Thanks for the help.