Difference between revisions of "Openfire ipa"
| Line 65: | Line 65: | ||
If you now click on 'Users/Groups', then you will see your ipa users in the openfire server: | If you now click on 'Users/Groups', then you will see your ipa users in the openfire server: | ||
[[Image:Openfire_usersummary.jpeg|thumb|400px|none|openfire user summary]] | [[Image:Openfire_usersummary.jpeg|thumb|400px|none|openfire user summary]] | ||
| + | |||
| + | === Test with username/password === | ||
| + | Now we can use a jabber/xmpp client like pidgin and login with our IPA credentials. We still have to use a username/password though, so it is not optimal. | ||
| + | |||
| + | I have tested with Pidgin with a linux client (in a gnome 2 desktop): | ||
| + | |||
| + | * start pidgin (applications -> internet -> pidgin internet messenger); | ||
| + | * add a xmpp account: in the tab 'Basic' fill username with the ipa username you want to test, in the domain field fill in the chat server name (ipaclient01.ipa.asenjo.nx), your password; in the 'Advanced' tab only the 'connect port' should be filled (5222) and the 'Connection security' should 'require encryption' be. That's it, click on save and you will be prompted to accept a certificate from the server (ensure your firewall allows incoming traffic to port 5222: edit /etc/sysconfig/iptables and add this line: -A INPUT -m state --state NEW -m tcp -p tcp --dport 5666 -j ACCEPT , then reload the iptables daemon: /etc/init.d/iptables restart). | ||
| + | |||
| + | === SSO configuration === | ||
| + | This is explained | ||
According to [http://community.igniterealtime.org/docs/DOC-1060#Create%20a%20Service%20Principal%20and%20Keytab%20for%20Openfire the openfire SSO guide], we need to get a keytab with an encryption type of des3-hmac-sha1. Unfortunately, the example they use appears to use another encryption type, so that confused me a bit. Thanks to rcrit (Rob Crittenden?) on the freeipa room on irc.freenode.net, I got the right incantation for ipa-getkeytab: | According to [http://community.igniterealtime.org/docs/DOC-1060#Create%20a%20Service%20Principal%20and%20Keytab%20for%20Openfire the openfire SSO guide], we need to get a keytab with an encryption type of des3-hmac-sha1. Unfortunately, the example they use appears to use another encryption type, so that confused me a bit. Thanks to rcrit (Rob Crittenden?) on the freeipa room on irc.freenode.net, I got the right incantation for ipa-getkeytab: | ||
Revision as of 22:28, 16 June 2012
Contents
Goal
Configure a jabber/xmpp server with Single Sign On (SSO) and LDAP group database.
Requirements
- We need (at least) a working ipa domain. See the instructions on how to install one: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ ; the instructions are the same for Fedora or other RHEL derivatives.
In my case, the IPA domain is IPA.ASENJO.NX. The server containing the kerberos kdc, ldap directory and DNS server is kdc.ipa.asenjo.nx.
- a server joined to the IPA domain where we will install the jabber/xmpp software.
In my case the server is ipaclient01.ipa.asenjo.nx.
Software installation
Go to the Openfire download site and get the rpm package. In my test lab I had direct internet access, so I downloaded it from the ipaclient01.ipa.asenjo.nx host. If that is not your situation, download it first and copy it to your soon to be chat server. Install it as root:
[root@ipaclient01 ~]# yum localinstall openfire-3.7.1-1.i386.rpm -y
yum should resolve all dependencies automagically, after that we may start configuring it for SSO.
Configuration
Openfire has a nice web ui to configure the chat server. In order to access it, we need to start the openfire daemon first:
start daemon
[root@ipaclient01 ~]# /etc/init.d/openfire start
Starting openfire:
[root@ipaclient01 ~]# /etc/init.d/openfire status
openfire is running
web interface setup
The web ui is accessible then from http://ipaclient01.ipa.asenjo.nx:9090
I chose the default (English) and clicked on Continue;
In the 'Domain' field I entered the fqdn of the chat server: ipaclient01.ipa.asenjo.nx. The other settings I left unchanged, then 'Continue';
I have a postgresql sever running on the same chat server so I am using the standard database connedction. For testing purposes you can use the embedded database option but according to Ignite Realtime, the makers of openfire, it is not advisable to use that in production. Click on 'Continue';
Fill in your database settings. The requirements are here. Click on 'Continue';
Choose 'Directory Server (LDAP)' and click on 'Continue';
in this screen we fill in the fqdn of our ldap server, in my case: kdc.ipa.asenjo.nx. Leave the standard ldap port (389) as it is, and as ldap base I choose cn=accounts,dc=ipa,dc=asenjo,dc=nx because in there is where the user accounts are. Substitue 'dc=ipa,dc=asenjo,dc=nx' with your ipa domain information.
Leave the authentication fields empty (unless you have modified the standard ipa installation, ipa allows anonymous ldap bindings; if you have disabled that, then you will have to enter a username/password to bind to the ldap server) and click on 'Test', you should see a success message:
The next screen (Profile Settings: User Mapping) is a bit long, but I did not modify anything. Just make sure the Usernane Field is 'uid' and click 'Continue'. You may too click on 'Test settings' and you should see some info about your ipa users as openfire maps them to its own database.
The next screen is Profile Settings: Group Mapping. Make sure you expand the 'advanced settings'. I fill in there "(cn=ipausers)". This filter will get all the members of the ldap group 'ipausers' (which is the standard group for every user). We can use this to automatically add this group the the address book to every client.
The final step in the setup is the administrator account, I entered 'admin', confirmed and the setup was completed. After that you may login the openfire admin console. Enter your admin username and password (the ipa admin username and password, or the name and password of the user you entered in the last step of the setup).
If you now click on 'Users/Groups', then you will see your ipa users in the openfire server:
Test with username/password
Now we can use a jabber/xmpp client like pidgin and login with our IPA credentials. We still have to use a username/password though, so it is not optimal.
I have tested with Pidgin with a linux client (in a gnome 2 desktop):
- start pidgin (applications -> internet -> pidgin internet messenger);
- add a xmpp account: in the tab 'Basic' fill username with the ipa username you want to test, in the domain field fill in the chat server name (ipaclient01.ipa.asenjo.nx), your password; in the 'Advanced' tab only the 'connect port' should be filled (5222) and the 'Connection security' should 'require encryption' be. That's it, click on save and you will be prompted to accept a certificate from the server (ensure your firewall allows incoming traffic to port 5222: edit /etc/sysconfig/iptables and add this line: -A INPUT -m state --state NEW -m tcp -p tcp --dport 5666 -j ACCEPT , then reload the iptables daemon: /etc/init.d/iptables restart).
SSO configuration
This is explained
According to the openfire SSO guide, we need to get a keytab with an encryption type of des3-hmac-sha1. Unfortunately, the example they use appears to use another encryption type, so that confused me a bit. Thanks to rcrit (Rob Crittenden?) on the freeipa room on irc.freenode.net, I got the right incantation for ipa-getkeytab:
ipa-getkeytab -s kdc.ipa.asenjo.nx -p xmpp/ipaclient01.ipa.asenjo.nx -k openfire.keytab -e des3-hmac-sha1
Here we dump the keytab for xmpp/ipaclient01.ipa.asenjo.nx to the file openfire.keytab with the right encryption.
[admin@ipaclient01 ~]$ klist -k -t openfire.keytab
Keytab name: WRFILE:openfire.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 06/15/12 18:29:53 xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX
We deviate slightly from documents presented by others here, as there is one small change we need to make. Since the xmpp service principal is only a service principal, and not mapped to an actual user account, we need to ensure that Java never attempts to treat it like a user account. In order to assure that, we have to add an additional line to gss.conf -- isInitiator.
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true keyTab="/opt/openfire/conf/openfire.keytab" doNotPrompt=true useKeyTab=true realm="IPA.ASENJO.NX" principal="xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX" debug=true isInitiator=false;
};
