[Freeipa-users] Jabber services for IPA
Loris Santamaria
loris at lgs.com.ve
Thu Feb 9 19:17:14 UTC 2012
El jue, 09-02-2012 a las 10:51 +0000, Dale Macartney escribió:
> Morning all
>
> I have a working setup of ejabberd authenticated to pam on an IPA client
> which works great.. However, unlike my other projects to provide
> details of integration with IPA, I am struggling with the SSO aspect of
> it, simply because of a lack of knowledge of jabber packages. (Currently
> I have used ejabberd and pidgin for testing, and from an end user view
> point, there doesn't appear to be an option to select kerberos to
> authenticate with).
>
> My goal, like other services is to tap *a* jabber service (can be
> anything) into ipa for single sign on.
>
> What is the general feeling in the community around jabber in the
> enterprise? (Useful or not? Best practices?)
> What is your preferred jabber software (server and client would be handy
> to know for testing) and why?
> Does it support GSSAPI?
Of course it is useful, thanks to kerberos users don't have to type
their password every time, or worst save it in a text file in their home
directory.
Pidgin does support GSSAPI auth, Empathy sadly doesn't.
On the server side I have successfully configured jabberd2 and Openfire.
The first steps are the same for both jabberd and openfire:
1) Set up your DNS, creating the proper _xmpp-client._tcp and
_xmpp-server entries. For example
ipa dnsrecord-add mydomain.com _xmpp-client._tcp --srv-rec="10 100 5222 jabberserver.mydomain.com."
2) Create and export the keytab for the server. Preferably your jabber
server should join the ipa domain so you don't have to set up kerberos
and ntp manually, the proper fqdn hostname, etc.
on-ipa-server# ipa service-add xmpp/jabberserver.mydomain.com
on-jabberserver# ipa-getkeytab -s ipa-server -p xmpp/jabberserver.mydomain.com -k /etc/krb5-xmpp.keytab
Next for jabberd2:
1) Edit /etc/jabberd/c2s.xml and enable the sasl methods in the
<mechanisms></mechanisms> section
<mechanisms>
<sasl>
<plain/>
<gssapi/>
<digest-md5/>
</mechanisms>
2) Edit /etc/sasl2/xmpp.conf (or /usr/lib/sasl2/xmpp.conf depending on
your installed OS)
mech_list: GSSAPI PLAIN
keytab: /etc/krb5-xmpp.keytab
3) chown /etc/krb5-xmpp.keytab so your jabberd service can access it.
For Openfire:
1) Edit /opt/openfire/conf/gss.conf
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
principal="xmpp/jabberserver.mydomain.com at MYDOMAIN.COM"
keyTab="/etc/krb5-xmpp.keytab"
doNotPrompt=true
storeKey=true
useKeyTab=true
debug=true;
};
2) Edit the <sasl/> and <ldap/> sections
on /opt/openfire/conf/openfire.xml
<sasl>
<gssapi/>
</sasl>
<ldap>
<adminDN/>
<adminPassword/>
<authorizeField>krbPrincipalName</authorizeField>
</ldap>
3) In the openfire web setup you should set up the ldap connection
making sure the app can see all of your ipa users and groups. After this
you should enter into the web administration and add some system
properties:
sasl.gssapi.config = /opt/openfire/conf/gss.conf
sasl.mechs = GSSAPI PLAIN
sasl.gssapi.useSubjectCredsOnly = false
xmpp.domain = mydomain.com
xmpp.fqdn = jabberserver.mydomain.com
4) chown /etc/krb5-xmpp.keytab so your openfire service can access it.
Hope this helps!
--
Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
Links Global Services, C.A. http://www.lgs.com.ve
Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
More information about the Freeipa-users
mailing list