[Freeipa-users] xmpp/jabber SSO with freeipa
Natxo Asenjo
natxo.asenjo at gmail.com
Sun Jun 17 16:26:54 UTC 2012
On Sun, Jun 17, 2012 at 3:27 PM, Simo Sorce <simo at redhat.com> wrote:
> On Sat, 2012-06-16 at 23:45 +0200, Natxo Asenjo wrote:
> > hi,
> >
> > After some initial troubles (thanks rcrit on irc) I got this to work
> > nicely. I have used the openfire
> > http://www.igniterealtime.org/projects/openfire/index.jsp xmpp/jabber
> > server.
> >
> > Instructions here:
> >
> > http://test.asenjo.nl/index.php/Openfire_ipa
>
> Nice writeup Natxo,
> I am curious about the SSO setup. Why did you need to restrict the
> keytab to des3 ? Using the default settings (that include AES keys would
> be normally better). If it is due to restrictions in the java security
> library, you should be able to download a library with full support for
> AES from Oracle (they have a separate build due to some export control
> stuff that is available for download).
>
>
Apparently this is the recommended setting by openfire.
> I am also curious about the need to set isInitiator to false. Service
> keys in IPA can be used to init security contexts, what kind of failure
> did you see setting it to true ? The 'isInitiator=false' may be
> necessary in AD where servicePrincipals and userPrincipals are
> considered distinct entities and AD forbids servicePrincipals to perform
> AS Requests, but this is not limited in IPA, by default you should be
> able to initiate just fine.
>
>
when I set isInitiator=true; and reload openfire I get this error in the
logifle:
Debug is true storeKey true useTicketCache false useKeyTab true
doNotPrompt true ticketCache is null isInitiator true KeyTab is
/opt/openfire/conf/openfire.keytab refreshKrb5Config is false principal is
xmpp/ipaclient01.ipa.asenjo.nx at IPA.ASENJO.NX tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Cannot get kdc for realm IPA.ASENJO.NX
I am not sure why it does not work, but it doesn't. Believe me, I tried :-)
According to the person who wrote this community doc
http://community.igniterealtime.org/docs/DOC-1522:
" Since the xmpp service principal is only a service principal, and not
mapped to an actual user account, we need to ensure that Java never
attempts to treat it like a user account. In order to assure that, we have
to add an additional line to gss.conf -- isInitiator.".
In the AD setups, the isInitiator directive is not necessary, apparently.
That is why I could not get it to work with the instructions on their site
until I found that clue.
--
groet,
natxo
HTH,
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120617/adf2c143/attachment.htm>
More information about the Freeipa-users
mailing list