On Sun, Jun 17, 2012 at 3:27 PM, Simo Sorce <s...@redhat.com> wrote:

> On Sat, 2012-06-16 at 23:45 +0200, Natxo Asenjo wrote:
> > hi,
> >
> > After some initial troubles (thanks rcrit on irc) I got this to work
> > nicely. I have used the openfire
> > http://www.igniterealtime.org/projects/openfire/index.jsp xmpp/jabber
> > server.
> >
> > Instructions here:
> >
> > http://test.asenjo.nl/index.php/Openfire_ipa
>
> Nice writeup Natxo,
> I am curious about the SSO setup. Why did you need to restrict the
> keytab to des3 ? Using the default settings (that include AES keys would
> be normally better). If it is due to restrictions in the java security
> library, you should be able to download a library with full support for
> AES from Oracle (they have a separate build due to some export control
> stuff that is available for download).
>
>
Apparently this is the recommended setting by openfire.


> I am also curious about the need to set isInitiator to false. Service
> keys in IPA can be used to init security contexts, what kind of failure
> did you see setting it to true ? The 'isInitiator=false' may be
> necessary in AD where servicePrincipals and userPrincipals are
> considered distinct entities and AD forbids servicePrincipals to perform
> AS Requests, but this is not limited in IPA, by default you should be
> able to initiate just fine.
>
>
when I set isInitiator=true; and reload openfire I get this error in the
logifle:

 Debug is  true storeKey true useTicketCache false useKeyTab true
doNotPrompt true ticketCache is null isInitiator true KeyTab is
/opt/openfire/conf/openfire.keytab refreshKrb5Config is false principal is
xmpp/ipaclient01.ipa.asenjo...@ipa.asenjo.nx tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
Acquire TGT using AS Exchange
                [Krb5LoginModule] authentication failed
Cannot get kdc for realm IPA.ASENJO.NX

I am not sure why it does not work, but it doesn't. Believe me, I tried :-)

According to the person who wrote this community doc
http://community.igniterealtime.org/docs/DOC-1522:

" Since the xmpp service principal is only a service principal, and not
mapped to an actual user account, we need to ensure that Java never
attempts to treat it like a user account.  In order to assure that, we have
to add an additional line to gss.conf -- isInitiator.".

In the AD setups, the isInitiator directive is not necessary, apparently.
That is why I could not get it to work with the instructions on their site
until I found that clue.

-- 
groet,
natxo

HTH,
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to