Difference between revisions of "Openfire ipa"
(Created page with "According to [http://community.igniterealtime.org/docs/DOC-1060#Create%20a%20Service%20Principal%20and%20Keytab%20for%20Openfire the openfire SSO guide], we need to get a keyt...") |
|||
Line 15: | Line 15: | ||
</pre></code> | </pre></code> | ||
+ | |||
+ | |||
+ | [http://community.igniterealtime.org/docs/DOC-1522 problem with config] | ||
+ | |||
+ | We deviate slightly from documents presented by others here, as there is one small change we need to make. Since the xmpp service principal is only a service principal, and not mapped to an actual user account, we need to ensure that Java never attempts to treat it like a user account. In order to assure that, we have to add an additional line to gss.conf -- isInitiator. | ||
+ | |||
+ | <code> | ||
+ | com.sun.security.jgss.accept { | ||
+ | com.sun.security.auth.module.Krb5LoginModule | ||
+ | required | ||
+ | storeKey=true | ||
+ | keyTab="/opt/openfire/conf/openfire.keytab" | ||
+ | doNotPrompt=true | ||
+ | useKeyTab=true | ||
+ | realm="IPA.ASENJO.NX" | ||
+ | principal="xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX" | ||
+ | debug=true | ||
+ | isInitiator=false; | ||
+ | }; |
Revision as of 23:56, 15 June 2012
According to the openfire SSO guide, we need to get a keytab with an encryption type of des3-hmac-sha1. Unfortunately, the example they use appears to use another encryption type, so that confused me a bit. Thanks to rcrit (Rob Crittenden?) on the freeipa room on irc.freenode.net, I got the right incantation for ipa-getkeytab:
ipa-getkeytab -s kdc.ipa.asenjo.nx -p xmpp/ipaclient01.ipa.asenjo.nx -k openfire.keytab -e des3-hmac-sha1
Here we dump the keytab for xmpp/ipaclient01.ipa.asenjo.nx to the file openfire.keytab with the right encryption.
[admin@ipaclient01 ~]$ klist -k -t openfire.keytab
Keytab name: WRFILE:openfire.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 06/15/12 18:29:53 xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX
We deviate slightly from documents presented by others here, as there is one small change we need to make. Since the xmpp service principal is only a service principal, and not mapped to an actual user account, we need to ensure that Java never attempts to treat it like a user account. In order to assure that, we have to add an additional line to gss.conf -- isInitiator.
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true keyTab="/opt/openfire/conf/openfire.keytab" doNotPrompt=true useKeyTab=true realm="IPA.ASENJO.NX" principal="xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX" debug=true isInitiator=false;
};