I dont know that the SSPI code made it in, but the GSSAPI code did. And in all fairness, the SSPI code dosnt need much to get it, only a simple code change to allow arbitrary SASL mechs is needed, in addition to adding the SSPI classes to the classpath.
To get GSSAPI working, you have to do a few things. First, you need to have that mechanism listed in the wildfire.xml config. Its a new option that has not yet been documented, but its pretty easy. Just add this into your config:
/code
This will set the server to advertise GSSAPI. The is a comma/space seperated list, so you can keep PLAIN, etc if you want. Order is important though, put it in the order of preference, which should be most secure first (like GSSAPI). The realm is important, it must match your kerberos realm. If you use Windows AD, it is the domain name. There have been a few issues if your domain is not all upper case, so try it all upper case.
Next, you need /opt/wildfire/conf/gssapi.conf to be created. Its a simple file:
/**
- Login Configuration for JASS.
*/
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true keyTab="/etc/jabber.keytab" doNotPrompt=true useKeyTab=true realm=“REALM.COM” principal=“xmpp/jabber.example.com@REALM.COM” debug=true;
};
/code
Again, make sure your realm is set correctly. If you are on windows, you need to figure out how to make a keytab. Thats the part of the documentation Ive been working on and is incomplete. But, you can get a head start by reading this: http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx
After you get this all set up, Wildfire should now accept Kerberos. A few things Ive learned:
Most Kerberos implementations use stronger encryption types than the default Java install understands. You must download the “Unlimited Strength JCE” for your Java version (it is free, but not availible in all countries due to US export regulations). Some encryption types in MIT kerberos (AES, in particular) are only supported in the Java 6 betas.
With windows active directory, you will likely need to enabled Single-DES for each user. A bit of a pain, I know.
If you want to map principals to usernames you will need to set up some authorization providers (these are new, and different from the authentication providers). The defaults will work for most people, however.