Openfire ipa

From Asenjo
Revision as of 23:56, 15 June 2012 by Natxo (Talk | contribs)

Jump to: navigation, search

According to the openfire SSO guide, we need to get a keytab with an encryption type of des3-hmac-sha1. Unfortunately, the example they use appears to use another encryption type, so that confused me a bit. Thanks to rcrit (Rob Crittenden?) on the freeipa room on irc.freenode.net, I got the right incantation for ipa-getkeytab: 

ipa-getkeytab -s kdc.ipa.asenjo.nx -p xmpp/ipaclient01.ipa.asenjo.nx -k openfire.keytab -e des3-hmac-sha1

Here we dump the keytab for xmpp/ipaclient01.ipa.asenjo.nx to the file openfire.keytab with the right encryption. 

[admin@ipaclient01 ~]$ klist -k -t openfire.keytab
Keytab name: WRFILE:openfire.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 06/15/12 18:29:53 xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX


problem with config

We deviate slightly from documents presented by others here, as there is one small change we need to make. Since the xmpp service principal is only a service principal, and not mapped to an actual user account, we need to ensure that Java never attempts to treat it like a user account. In order to assure that, we have to add an additional line to gss.conf -- isInitiator.

com.sun.security.jgss.accept { 

   com.sun.security.auth.module.Krb5LoginModule
   required
   storeKey=true
   keyTab="/opt/openfire/conf/openfire.keytab"
   doNotPrompt=true
   useKeyTab=true
   realm="IPA.ASENJO.NX"
   principal="xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX"
   debug=true
   isInitiator=false;

};

Retrieved from "https://asenjo.nl/wiki/index.php?title=Openfire_ipa&oldid=90"