On Sun, Jun 17, 2012 at 3:27 PM, Simo Sorce <[email protected]> wrote: > On Sat, 2012-06-16 at 23:45 +0200, Natxo Asenjo wrote: > > hi, > > > > After some initial troubles (thanks rcrit on irc) I got this to work > > nicely. I have used the openfire > > http://www.igniterealtime.org/projects/openfire/index.jsp xmpp/jabber > > server. > > > > Instructions here: > > > > http://test.asenjo.nl/index.php/Openfire_ipa > > Nice writeup Natxo, > I am curious about the SSO setup. Why did you need to restrict the > keytab to des3 ? Using the default settings (that include AES keys would > be normally better). If it is due to restrictions in the java security > library, you should be able to download a library with full support for > AES from Oracle (they have a separate build due to some export control > stuff that is available for download). > > Apparently this is the recommended setting by openfire.
> I am also curious about the need to set isInitiator to false. Service > keys in IPA can be used to init security contexts, what kind of failure > did you see setting it to true ? The 'isInitiator=false' may be > necessary in AD where servicePrincipals and userPrincipals are > considered distinct entities and AD forbids servicePrincipals to perform > AS Requests, but this is not limited in IPA, by default you should be > able to initiate just fine. > > when I set isInitiator=true; and reload openfire I get this error in the logifle: Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/openfire/conf/openfire.keytab refreshKrb5Config is false principal is xmpp/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false principal's key obtained from the keytab Acquire TGT using AS Exchange [Krb5LoginModule] authentication failed Cannot get kdc for realm IPA.ASENJO.NX I am not sure why it does not work, but it doesn't. Believe me, I tried :-) According to the person who wrote this community doc http://community.igniterealtime.org/docs/DOC-1522: " Since the xmpp service principal is only a service principal, and not mapped to an actual user account, we need to ensure that Java never attempts to treat it like a user account. In order to assure that, we have to add an additional line to gss.conf -- isInitiator.". In the AD setups, the isInitiator directive is not necessary, apparently. That is why I could not get it to work with the instructions on their site until I found that clue. -- groet, natxo HTH, > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
