siddou.tk

Install Openfire 4+ Pidgin SSO on Debian 8 Jessie

source

Prerequisite

Openfire 4.1.6
Java Version: 1.8.0_102 Oracle Corporation — Java HotSpot(TM) 64-Bit Server VM
server joined to the domain + Ad enabled in openfire
check my previous article.

Java Cryptography Extension

Download JCE
unzip local_policy.jar and copy to java security folder:

cp local_policy.jar /opt/jre1.8.0_102/lib/security/

Enable GSSAPI in Openfire server

Add the following parameters in system properties in openfire:
http://openfireserver:9090/server-properties.jsp

sasl.gssapi.config	/etc/openfire/conf/gss.conf
sasl.gssapi.debug	true
sasl.gssapi.useSubjectCredsOnly	false
sasl.mechs	GSSAPI,PLAIN
sasl.realm	SIDDOU.TK
xmpp.fqdn	openfire.siddou.tk

#might be required:
xmpp.server.certificate.accept-selfsigned	true
xmpp.server.certificate.verify	false
xmpp.server.certificate.verify.chain	false
nano /etc/openfire/conf/gss.conf
com.sun.security.jgss.accept { 
com.sun.security.auth.module.Krb5LoginModule 
required 
storeKey=true 
keyTab="/etc/openfire/krb5.xmpp.keytab" 
doNotPrompt=true 
useKeyTab=true 
realm="SIDDOU.TK" 
principal="xmpp/[email protected]"
debug=true 
isInitiator=false; 
};

Create keytab

kinit domainadmin
net ads keytab add xmpp -k
ktutil
	rkt /etc/krb5.keytab
	delent # remove everything other than xmpp principle
	wkt /etc/openfire/krb5.xmpp.keytab
	exit
chown openfire:openfire /etc/openfire/krb5.xmpp.keytab

Finally restart server:

systemctl restart openfire 

Client configuration

host must be joined to the domain.
libsasl2-modules-gssapi-mit should be installed
Tested pigin version is 2.12.0-1

Configure account without a password, done.
debug windows:

(16:55:30) jabber: Recv (311): <stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>GSSAPI</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression></stream:features>
(16:55:30) jabber: Recv (ssl)(453): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="openfireserver.siddou.tk" id="5vjzc0rrvy" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>GSSAPI</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression></stream:features>
(16:55:30) sasl: Mechs found: PLAIN GSSAPI
(16:55:30) sasl: GSSAPI client step 1
(16:55:30) jabber: Sending (ssl) ([email protected]): <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='GSSAPI' xmlns:ga='http://www.google.com/talk/protocol/auth' ga:client-uses-full-bind-result='true'>password removed</auth>
(16:55:30) sasl: GSSAPI client step 1
(16:55:30) sasl: GSSAPI client step 2

Leave a Reply

Your email address will not be published. Required fields are marked *