Openfire ipa

From Asenjo
Revision as of 16:07, 15 March 2016 by Natxo (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Goal

Configure a jabber/xmpp server with Single Sign On (SSO) and LDAP group database.

Requirements

In my case, the IPA domain is IPA.ASENJO.NX. The server containing the kerberos kdc, ldap directory and DNS server is kdc.ipa.asenjo.nx.

  • a server joined to the IPA domain where we will install the jabber/xmpp software.

In my case the server is ipaclient01.ipa.asenjo.nx.

Software installation

Go to the Openfire download site and get the rpm package. In my test lab I had direct internet access, so I downloaded it from the ipaclient01.ipa.asenjo.nx host. If that is not your situation, download it first and copy it to your soon to be chat server. Install it as root:

[root@ipaclient01 ~]# yum localinstall openfire-3.7.1-1.i386.rpm -y

yum should resolve all dependencies automagically, after that we may start configuring it for SSO.

Configuration

Openfire has a nice web ui to configure the chat server. In order to access it, we need to start the openfire daemon first:

start daemon

[root@ipaclient01 ~]# /etc/init.d/openfire start
Starting openfire:
[root@ipaclient01 ~]# /etc/init.d/openfire status
openfire is running

web interface setup

The web ui is accessible then from http://ipaclient01.ipa.asenjo.nx:9090

Error creating thumbnail: File missing
welcome screen

I chose the default (English) and clicked on Continue;

Error creating thumbnail: File missing
server settings

In the 'Domain' field I entered the fqdn of the chat server: ipaclient01.ipa.asenjo.nx. The other settings I left unchanged, then 'Continue';

Error creating thumbnail: File missing
database settings

I have a postgresql sever running on the same chat server so I am using the standard database connection. For testing purposes you can use the embedded database option but according to Ignite Realtime, the makers of openfire, it is not advisable to use that in production. Click on 'Continue';

Error creating thumbnail: File missing
database settings standard connection

Fill in your database settings. The requirements are here. Click on 'Continue';

Error creating thumbnail: File missing
profile settings

Choose 'Directory Server (LDAP)' and click on 'Continue';

Error creating thumbnail: File missing
profile connection settings

in this screen we fill in the fqdn of our ldap server, in my case: kdc.ipa.asenjo.nx. Leave the standard ldap port (389) as it is, and as ldap base I choose cn=accounts,dc=ipa,dc=asenjo,dc=nx because in there is where the user accounts are. Substitue 'dc=ipa,dc=asenjo,dc=nx' with your ipa domain information.

Leave the authentication fields empty (unless you have modified the standard ipa installation, ipa allows anonymous ldap bindings; if you have disabled that, then you will have to enter a username/password to bind to the ldap server) and click on 'Test', you should see a success message:

Error creating thumbnail: File missing
succesful test

The next screen (Profile Settings: User Mapping) is a bit long, but I did not modify anything. Just make sure the Usernane Field is 'uid' and click 'Continue'. You may too click on 'Test settings' and you should see some info about your ipa users as openfire maps them to its own database.

Error creating thumbnail: File missing
profile group mapping

The next screen is Profile Settings: Group Mapping. Make sure you expand the 'advanced settings'. I fill in there "(cn=ipausers)". This filter will get all the members of the ldap group 'ipausers' (which is the standard group for every user). We can use this to automatically add this group the the address book to every client.

We can use a ldap filter to get several groups. If we have 2 groups, ipausers and hrm-staff, for instance, we can use this filter to create two openfire groups:

(|(cn=ipausers)(cn=hrm-staff))

You can edit the ldap filter on the web interface (server properties tab).

The final step in the setup is the administrator account, I entered 'admin', confirmed and the setup was completed. After that you may login the openfire admin console. Enter your admin username and password (the ipa admin username and password, or the name and password of the user you entered in the last step of the setup).

If you now click on 'Users/Groups', then you will see your ipa users in the openfire server:

Error creating thumbnail: File missing
openfire user summary

Test with username/password

Now we can use a jabber/xmpp client like pidgin and login with our IPA credentials. We still have to use a username/password though, so it is not optimal.

I have tested with Pidgin with a linux client (in a gnome 2 desktop):

  • start pidgin (applications -> internet -> pidgin internet messenger);
  • add a xmpp account: in the tab 'Basic' fill username with the ipa username you want to test, in the domain field fill in the chat server name (ipaclient01.ipa.asenjo.nx), your password; in the 'Advanced' tab only the 'connect port' should be filled (5222) and the 'Connection security' should 'require encryption' be. That's it, click on save and you will be prompted to accept a certificate from the server (ensure your firewall allows incoming traffic to port 5222: edit /etc/sysconfig/iptables and add this line: -A INPUT -m state --state NEW -m tcp -p tcp --dport 5666 -j ACCEPT , then reload the iptables daemon: /etc/init.d/iptables restart).

Now you should be logged in to the xmpp server and if you click in Pidgin in the 'Buddies' menu, then 'Show' en 'offline buddies' you should see all the ipa users in there.

SSO configuration

This is explained here. The instructions are accurate except for one little detail for our test case (the instructions are Active Directory centric, where normal user accounts get a kerberos service principal). We will get there soon.

dns autodiscovery

xmpp/jabber clients can use dns srv records to find the servers. This is very useful, of course. We will add the following srv record to our ipa.asenjo.nx dns zone:

_xmpp-client._tcp 0 100 5222 ipaclient01

where _xmpp-client._tcp is the record, 0 is the priority, 100 is the weight, 5222 is the tcp port and ipaclient01 is the target (must exist, but since this is a ipa joined server it got automatically created when joining the domain).

Verify the record:

$ host -t srv _xmpp-client._tcp.ipa.asenjo.nx
_xmpp-client._tcp.ipa.asenjo.nx has SRV record 0 100 5222 ipaclient01.ipa.asenjo.nx.

We can now login with pidgin with just the domain ipa.asenjo.nx instead of ipaclient01.ipa.asenjo.nx, the dns autodiscovery will automagically have the server found.

But this still is not SSO, so let us get on with that.

create xmpp service principal

We need to create a kerberos service principal and connect it to the chat server ipaclient01.ipa.asenjo.nx. I used the ipa web interface for that but you can do it like this as well (you should have now a valid admin kerberos ticket):

ipa service-add xmpp/ipaclient01.ipa.asenjo.nx

Verify the service got created:

admin@ipaclient01 ~]$ ipa service-find ipaclient01.ipa.asenjo.nx
------------------
2 services matched
------------------
  Principal: postgres/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX
  Keytab: True
  Managed by: ipaclient01.ipa.asenjo.nx

  Principal: xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX
  Keytab: True
  Managed by: ipaclient01.ipa.asenjo.nx
----------------------------
Number of entries returned 2

As you see, that host has two service principals, and the xmpp one is there.

retrieve keytab for xmpp service principal

This step was a bit unclear to me in the openfire documentation.

According to the openfire SSO guide, we need to get a keytab with an encryption type of des3-hmac-sha1. Unfortunately, the example they use appears to use another encryption type, so that confused me a bit. Thanks to rcrit (Rob Crittenden?) on the freeipa room on irc.freenode.net, I got the right incantation for ipa-getkeytab:

ipa-getkeytab -s kdc.ipa.asenjo.nx -p xmpp/ipaclient01.ipa.asenjo.nx -k openfire.keytab -e des3-hmac-sha1

Here we dump the keytab for xmpp/ipaclient01.ipa.asenjo.nx to the file openfire.keytab with the right encryption.

[admin@ipaclient01 ~]$ klist -k -t openfire.keytab
Keytab name: WRFILE:openfire.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 06/15/12 18:29:53 xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX

Place the openfire.keytab on /opt/openfire/conf, make it read only for the user daemon (openfire runs as user daemon). Eventually run restorecon to have the right selinux context.

Verify the keytab:

# kinit -k -t openfire.keytab xmpp/ipaclient01.ipa.asenjo.nx
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX

Valid starting     Expires            Service principal
06/16/12 23:28:35  06/17/12 23:28:35  krbtgt/IPA.ASENJO.NX@IPA.ASENJO.NX

gss.conf

create a file called gss.conf in /opt/openfire/conf with similar content (replace the obvious bits, like principal, realm en keytab name/location):

com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule
    required
    storeKey=true
    keyTab="/opt/openfire/conf/openfire.keytab"
    doNotPrompt=true
    useKeyTab=true
    realm="IPA.ASENJO.NX"
    principal="xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX"
    debug=true
    isInitiator=false;
};

Be careful with the punctuation and ensure the last isInitiator=false is there. It will *not* work otherwise. See problem with config:

<quote>

We deviate slightly from documents presented by others here, as there is one small change we need to make. Since the xmpp service principal is only a service principal, and not mapped to an actual user account, we need to ensure that Java never attempts to treat it like a user account. In order to assure that, we have to add an additional line to gss.conf -- isInitiator.

</quote>

openfire.xml

the last step is edit the fire /opt/openfire/conf/openfire.xml and add some gssapi/sasl info.

  <sasl>
      <mechs>GSSAPI</mechs>
      <realm>IPA.ASENJO.NX</realm>
      <gssapi>
          <debug>true</debug>
          <config>/opt/openfire/conf/gss.conf</config>
          <useSubjectCredsOnly>false</useSubjectCredsOnly>
      </gssapi>
  </sasl>

restart openfire daemon


# /etc/init.d/openfire restart

It is worth noting that the openfire.xml file will apparently lack some of the info we just added after reloading the daemon. The info has been added to the (postgresql) database, but it is gone from the xml file. This is apparently the design of this package. On the web interface of the openfire server, on the server settings tab, the settings will be there.

login with SSO

if we now remove the password from our pidgin account info, acquire a ipa user kerberos ticket and reopen pidgin, we should be logged in and have an extra kerberos ticket from the xmpp server:

$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: ipauser1@IPA.ASENJO.NX

Valid starting     Expires            Service principal
06/16/12 23:29:03  06/17/12 23:29:00  krbtgt/IPA.ASENJO.NX@IPA.ASENJO.NX
    renew until 06/23/12 23:29:00
06/16/12 23:29:09  06/17/12 23:29:00  xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX
    renew until 06/23/12 23:29:00