XMPP & Kerberos 5
Dax Kelson
dkelson at gurulabs.com
Mon Nov 30 12:27:07 EST 2009
On Mon, 2009-11-30 at 07:59 -0500, Greg Hudson wrote:
> On Mon, 2009-11-30 at 04:25 -0500, Oliver Schmidt wrote:
> > Unfortunately, I failed using an GSSAPI patch for eJabberd together with
> > my Kerberos system. After that, I tried using Openfire, which didn't work
> > out for me either. Now, that I've read about that institution-wide XMPP
> > service the MIT offers, I know that XMPP _must_ work with Kerberos
> > somehow. Can you tell me how you set it up and, respectively, which
> > software you did use?
>
> MIT uses Openfire. I did the initial setup. You might take a look at:
>
> http://itlab.stanford.edu/blog/archives/2009/test-services/openfire-and-kerberos-implementation-notes
>
> The most complicated part comes if you want to allow people to log in
> with passwords over TLS (since many XMPP clients do not have GSSAPI
> support) and check those passwords against the KDC. Openfire does not
> have native support for that.
Don't most people use Kerberos in conjunction with LDAP? Also isn't it
typical to have LDAP server doing passthrough authentication (for simple
bind operations) to the KDC?
The way our Openfire is configured (a native configuration possibility)
is to allow passwords over TLS which is authenticating via LDAP server
(which uses the KDC for auth).
This way our Openfire server does native GSSAPI/Kerberos with clients
that support it, and passwords over TLS for those clients that do not.
In either case, the password is the same.
Dax Kelson
Guru Labs
More information about the Kerberos
mailing list