El jue, 09-02-2012 a las 10:51 +0000, Dale Macartney escribió:
> Morning all
> I have a working setup of ejabberd authenticated to pam on an IPA client
> which works great..  However, unlike my other projects to provide
> details of integration with IPA, I am struggling with the SSO aspect of
> it, simply because of a lack of knowledge of jabber packages. (Currently
> I have used ejabberd and pidgin for testing, and from an end user view
> point, there doesn't appear to be an option to select kerberos to
> authenticate with).
> My goal, like other services is to tap *a* jabber service (can be
> anything) into ipa for single sign on.
> What is the general feeling in the community around jabber in the
> enterprise? (Useful or not? Best practices?)
> What is your preferred jabber software (server and client would be handy
> to know for testing) and why?
> Does it support GSSAPI?

Of course it is useful, thanks to kerberos users don't have to type
their password every time, or worst save it in a text file in their home

Pidgin does support GSSAPI auth, Empathy sadly doesn't.

On the server side I have successfully configured jabberd2 and Openfire.

The first steps are the same for both jabberd and openfire:

1) Set up your DNS, creating the proper _xmpp-client._tcp and
_xmpp-server entries. For example

ipa dnsrecord-add mydomain.com _xmpp-client._tcp --srv-rec="10 100 5222 

2) Create and export the keytab for the server. Preferably your jabber
server should join the ipa domain so you don't have to set up kerberos
and ntp manually, the proper fqdn hostname, etc.

on-ipa-server# ipa service-add xmpp/jabberserver.mydomain.com
on-jabberserver# ipa-getkeytab -s ipa-server -p xmpp/jabberserver.mydomain.com 
-k /etc/krb5-xmpp.keytab

Next for jabberd2:

1) Edit /etc/jabberd/c2s.xml and enable the sasl methods in the
<mechanisms></mechanisms> section


2) Edit /etc/sasl2/xmpp.conf (or /usr/lib/sasl2/xmpp.conf depending on
your installed OS)

mech_list: GSSAPI PLAIN
keytab: /etc/krb5-xmpp.keytab

3) chown /etc/krb5-xmpp.keytab so your jabberd service can access it.

For Openfire:

1) Edit /opt/openfire/conf/gss.conf

com.sun.security.jgss.accept {

2) Edit the <sasl/> and <ldap/> sections
on /opt/openfire/conf/openfire.xml


3) In the openfire web setup you should set up the ldap connection
making sure the app can see all of your ipa users and groups. After this
you should enter into the web administration and add some system

sasl.gssapi.config = /opt/openfire/conf/gss.conf
sasl.mechs = GSSAPI PLAIN
sasl.gssapi.useSubjectCredsOnly = false
xmpp.domain = mydomain.com
xmpp.fqdn = jabberserver.mydomain.com

4) chown /etc/krb5-xmpp.keytab so your openfire service can access it.

Hope this helps!

Loris Santamaria   linux user #70506   xmpp:lo...@lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:1...@lgs.com.ve
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

Freeipa-users mailing list

Reply via email to