Difference between revisions of "Openfire ipa"
| Line 13: | Line 13: | ||
In my case the server is ipaclient01.ipa.asenjo.nx. | In my case the server is ipaclient01.ipa.asenjo.nx. | ||
| + | == Software installation == | ||
| + | Go to the [http://www.igniterealtime.org/downloads/index.jsp Openfire download site] and get the rpm package. In my test lab I had direct internet access, so I downloaded it from the ipaclient01.ipa.asenjo.nx host. If that is not your situation, download it first and copy it to your soon to be chat server. Install it as root: | ||
| + | <code><pre> | ||
| + | [root@ipaclient01 ~]# yum localinstall openfire-3.7.1-1.i386.rpm -y | ||
| + | </pre></code> | ||
| + | |||
| + | yum should resolve all dependencies automagically, after that we may start configuring it for SSO. | ||
| + | |||
| + | == Configuration == | ||
| + | Openfire has a nice web ui to configure the chat server. In order to access it, we need to start the openfire daemon first: | ||
| + | |||
| + | === start daemon === | ||
| + | <code><pre> | ||
| + | [root@ipaclient01 ~]# /etc/init.d/openfire start | ||
| + | Starting openfire: | ||
| + | [root@ipaclient01 ~]# /etc/init.d/openfire status | ||
| + | openfire is running | ||
| + | </pre></code> | ||
| + | |||
| + | === access the web interface == | ||
| + | The web ui is accessible then from [http://ipaclient01.ipa.asenjo.nx:9090 http://ipaclient01.ipa.asenjo.nx:9090] | ||
According to [http://community.igniterealtime.org/docs/DOC-1060#Create%20a%20Service%20Principal%20and%20Keytab%20for%20Openfire the openfire SSO guide], we need to get a keytab with an encryption type of des3-hmac-sha1. Unfortunately, the example they use appears to use another encryption type, so that confused me a bit. Thanks to rcrit (Rob Crittenden?) on the freeipa room on irc.freenode.net, I got the right incantation for ipa-getkeytab: | According to [http://community.igniterealtime.org/docs/DOC-1060#Create%20a%20Service%20Principal%20and%20Keytab%20for%20Openfire the openfire SSO guide], we need to get a keytab with an encryption type of des3-hmac-sha1. Unfortunately, the example they use appears to use another encryption type, so that confused me a bit. Thanks to rcrit (Rob Crittenden?) on the freeipa room on irc.freenode.net, I got the right incantation for ipa-getkeytab: | ||
Revision as of 19:56, 16 June 2012
Contents
Goal
Configure a jabber/xmpp server with Single Sign On (SSO) and LDAP group database.
Requirements
- We need (at least) a working ipa domain. See the instructions on how to install one: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ ; the instructions are the same for Fedora or other RHEL derivatives.
In my case, the IPA domain is IPA.ASENJO.NX. The server containing the kerberos kdc, ldap directory and DNS server is kdc.ipa.asenjo.nx.
- a server joined to the IPA domain where we will install the jabber/xmpp software.
In my case the server is ipaclient01.ipa.asenjo.nx.
Software installation
Go to the Openfire download site and get the rpm package. In my test lab I had direct internet access, so I downloaded it from the ipaclient01.ipa.asenjo.nx host. If that is not your situation, download it first and copy it to your soon to be chat server. Install it as root:
[root@ipaclient01 ~]# yum localinstall openfire-3.7.1-1.i386.rpm -y
yum should resolve all dependencies automagically, after that we may start configuring it for SSO.
Configuration
Openfire has a nice web ui to configure the chat server. In order to access it, we need to start the openfire daemon first:
start daemon
[root@ipaclient01 ~]# /etc/init.d/openfire start
Starting openfire:
[root@ipaclient01 ~]# /etc/init.d/openfire status
openfire is running
= access the web interface
The web ui is accessible then from http://ipaclient01.ipa.asenjo.nx:9090
According to the openfire SSO guide, we need to get a keytab with an encryption type of des3-hmac-sha1. Unfortunately, the example they use appears to use another encryption type, so that confused me a bit. Thanks to rcrit (Rob Crittenden?) on the freeipa room on irc.freenode.net, I got the right incantation for ipa-getkeytab:
ipa-getkeytab -s kdc.ipa.asenjo.nx -p xmpp/ipaclient01.ipa.asenjo.nx -k openfire.keytab -e des3-hmac-sha1
Here we dump the keytab for xmpp/ipaclient01.ipa.asenjo.nx to the file openfire.keytab with the right encryption.
[admin@ipaclient01 ~]$ klist -k -t openfire.keytab
Keytab name: WRFILE:openfire.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 06/15/12 18:29:53 xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX
We deviate slightly from documents presented by others here, as there is one small change we need to make. Since the xmpp service principal is only a service principal, and not mapped to an actual user account, we need to ensure that Java never attempts to treat it like a user account. In order to assure that, we have to add an additional line to gss.conf -- isInitiator.
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true keyTab="/opt/openfire/conf/openfire.keytab" doNotPrompt=true useKeyTab=true realm="IPA.ASENJO.NX" principal="xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX" debug=true isInitiator=false;
};
