Openfire ipa
Goal
Configure a jabber/xmpp server with Single Sign On (SSO) and LDAP group database.
Requirements
- We need (at least) a working ipa domain. See the instructions on how to install one: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ ; the instructions are the same for Fedora or other RHEL derivatives.
In my case, the IPA domain is IPA.ASENJO.NX. The server containing the kerberos kdc, ldap directory and DNS server is kdc.ipa.asenjo.nx.
- a server joined to the IPA domain where we will install the jabber/xmpp software.
In my case the server is ipaclient01.ipa.asenjo.nx.
According to the openfire SSO guide, we need to get a keytab with an encryption type of des3-hmac-sha1. Unfortunately, the example they use appears to use another encryption type, so that confused me a bit. Thanks to rcrit (Rob Crittenden?) on the freeipa room on irc.freenode.net, I got the right incantation for ipa-getkeytab:
ipa-getkeytab -s kdc.ipa.asenjo.nx -p xmpp/ipaclient01.ipa.asenjo.nx -k openfire.keytab -e des3-hmac-sha1
Here we dump the keytab for xmpp/ipaclient01.ipa.asenjo.nx to the file openfire.keytab with the right encryption.
[admin@ipaclient01 ~]$ klist -k -t openfire.keytab
Keytab name: WRFILE:openfire.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 06/15/12 18:29:53 xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX
We deviate slightly from documents presented by others here, as there is one small change we need to make. Since the xmpp service principal is only a service principal, and not mapped to an actual user account, we need to ensure that Java never attempts to treat it like a user account. In order to assure that, we have to add an additional line to gss.conf -- isInitiator.
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true keyTab="/opt/openfire/conf/openfire.keytab" doNotPrompt=true useKeyTab=true realm="IPA.ASENJO.NX" principal="xmpp/ipaclient01.ipa.asenjo.nx@IPA.ASENJO.NX" debug=true isInitiator=false;
};
