Openfire+IPA+SSO+Pidgin

I use IPA(FreeIPA.org) server with LDAP + Kerberos5.

----- Debug ------------------------------------------------------------------------------- -----

2012.04.23 14:35:52 org.jivesoftware.openfire.auth.AuthorizationManager - AuthorizationManager: Trying Default Policy.authorize(evgeniy , evgeniy@FM.LOCAL)

2012.04.23 14:35:52 org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy - DefaultAuthorizationPolicy: Checking authenID realm

2012.04.23 14:35:52 org.jivesoftware.openfire.net.SASLAuthentication - SASLAuthentication: SaslException

javax.security.sasl.SaslException: Problem with callback handler [Caused by javax.security.sasl.SaslException: evgeniy@FM.LOCAL is not authorized to connect as evgeniy@FM.LOCAL]

     at com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(GssKrb5Server.java:292 )

     at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java :131)

     at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :325)

     at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:183)

     at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:169)

     at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)

     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

     at org.apache.mina.common.IoFilterAdapter.messageReceived(IoFilterAdapter.java:80)

     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

     at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)

     at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:185)

     at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

     at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

     at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

     at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)

     at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)

     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 886)

     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

     at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)

     at java.lang.Thread.run(Thread.java:662)

Caused by: javax.security.sasl.SaslException: evgeniy@FM.LOCAL is not authorized to connect as evgeniy@FM.LOCAL

     at com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(GssKrb5Server.java:284 )

     ... 23 more

-------------------------------------------------------------------------------- -------------------

In info.log no problem...

root@xmpp01:/etc/openfire# cat gss.conf

com.sun.security.jgss.accept {

  com.sun.security.auth.module.Krb5LoginModule

  required

  principal="xmpp/xmpp01.fm.local@FM.LOCAL"

  keyTab="/etc/openfire/xmpp.keytab"

  doNotPrompt=true

  storeKey=true

  useKeyTab=true

  isInitiator=false

  debug=true;

};

root@xmpp01:/etc/openfire# cat openfire.xml

<?xml version="1.0" encoding="UTF-8"?>

<jive>

  <adminConsole>

    <!-- Disable either port by setting the value to -1 -->

    <port>9090</port>

    <securePort>9091</securePort>

  </adminConsole>

  <locale>ru_RU</locale>

  <connectionProvider>

    <className>org.jivesoftware.database.DefaultConnectionProvider</className>

  </connectionProvider>

  <database>

    <defaultProvider>

      <driver>com.mysql.jdbc.Driver</driver>

      <serverURL>jdbc:mysql://localhost:3306/openfire</serverURL>

      <username>openfire</username>

      <password>xxxxxxxxxxxxx</password>

      <testSQL>select 1</testSQL>

      <testBeforeUse>true</testBeforeUse>

      <testAfterUse>true</testAfterUse>

      <minConnections>5</minConnections>

      <maxConnections>25</maxConnections>

      <connectionTimeout>1.0</connectionTimeout>

    </defaultProvider>

  </database>

  <setup>true</setup>

  <ldap>

    <adminDN/>

    <adminPassword/>

  </ldap>

</jive>

root@xmpp01:/etc/openfire# klist -ekt /etc/openfire/xmpp.keytab

Keytab name: WRFILE:/etc/openfire/xmpp.keytab

KVNO Timestamp         Principal

---- ----------------- --------------------------------------------------------

   1 04/23/12 14:26:15 xmpp/xmpp01.fm.local@FM.LOCAL (Triple DES cbc mode with HMAC/sha1)

kinit -kt /etc/openfire/xmpp.keytab xmpp/xmpp01.fm.local - Work

----------------------------------------------------------

config

----------------------------------------------------------

ldap.authorizeField krbPrincipalName

ldap.autoFollowAliasReferrals true

ldap.autoFollowReferrals false

ldap.baseDN cn=accounts,dc=fm,dc=local

ldap.connectionPoolEnabled true

ldap.debugEnabled true

ldap.emailField mail

ldap.encloseDNs true

ldap.groupDescriptionField description

ldap.groupMemberField member

ldap.groupNameField cn

ldap.groupSearchFilter (objectClass=posixGroup)

ldap.host ds01.fm.local

ldap.ldapDebugEnabled true

ldap.nameField cn

ldap.override.avatar true

ldap.port 389

ldap.posixMode false

ldap.searchFields Username/uid,Name/cn,Email/mail

ldap.searchFilter (objectClass=person)

ldap.sslEnabled false

ldap.usernameField uid

ldap.vcard-mapping ...

plugin.search.excludedFields

plugin.search.serviceEnabled true

plugin.search.serviceName search

provider.auth.className org.jivesoftware.openfire.ldap.LdapAuthProvider

provider.authorization.classList org.jivesoftware.openfire.ldap.LdapAuthorizationPolicy org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy

provider.group.className org.jivesoftware.openfire.ldap.LdapGroupProvider

provider.user.className org.jivesoftware.openfire.ldap.LdapUserProvider

provider.vcard.className org.jivesoftware.openfire.ldap.LdapVCardProvider

register.inband true

register.password hidden

sasl.gssapi.config /etc/openfire/gss.conf

sasl.gssapi.debug true

sasl.gssapi.useSubjectCredsOnly false

sasl.mechs GSSAPI,PLAIN

update.lastCheck 1335035333218

xmpp.auth.anonymous false

xmpp.client.tls.policy optional

xmpp.domain fm.local

xmpp.fqdn xmpp01.fm.local

xmpp.server.certificate.accept-selfsigned false

xmpp.server.dialback.enabled true

xmpp.server.socket.active true

xmpp.server.tls.enabled true

xmpp.session.conflict-limit 0

xmpp.socket.ssl.active true