Loading Profile...
Single Sign On that works with OpenFire on Linux
At the moment, Pandion's 'Integrated Windows Auth' mode only works when OpenFire is running on windows using some SSPI native-Windows plugins to support NTLM auth.
OpenFire's own client, Spark, allows SSO with a little Kerberos work creating new service principals - it would wonderful to be able to run OpenFire on Linux and still use Pandion for our corporate users!
OpenFire's own client, Spark, allows SSO with a little Kerberos work creating new service principals - it would wonderful to be able to run OpenFire on Linux and still use Pandion for our corporate users!
I’m happy
4
people like this idea
I like this idea!
Tell me when this idea gets some attention.
The more people who like this idea, the more it gets noticed.
The more people who like this idea, the more it gets noticed.
Create a customer community for your own organization
Plans starting at $19/month
-
Inappropriate?We *think* the latest changes should work with the GSSAPI mechanism for SASL. That means it would also work with OpenFire on Linux without GSS-SPNEGO or NTLM plugins. The problem is that we don't have any environment to test this. If you could help by trying this on your network or providing us access to test then I'd be happy to send you a build of Pandion 2.6-dev (or you can get the code from the git repository and compile it yourself).
-
Inappropriate?I'm more than happy to try this out. Spark is a nice client, but we have 200+ instances of Pandion, and people like it :) gdh AT acentral dot co dot uk please :) -
Inappropriate?If you have a public XMPP address please contact me cbas@pandion.be
-
Inappropriate?Hm, have tried to message add you but it's failing - joy. email might yet be the best idea.
-
Inappropriate?I can test it as well, we are using Openfire server in an AD (windows 2003) environment.
email me at andreas.vindal at gmail dot com -
Inappropriate?You can now get the latest build here:
http://sourceforge.net/projects/pandi...
Please try and let me know. -
Inappropriate?aha but i still need the patch for Openfire, right?
-
Inappropriate?I believe so, yes. That's really up to Openfire and what it implements.
-
Inappropriate?just found this thread and this look very promising. I have an openfire server running on linux (so no ntlm) but all of my spark clients are configured to use sso by way of kerberos. I will also give this a try and see what I can come up with.
-
Inappropriate?I am testing latest pandion build 2.6.38. It not work with OpenFire on Linux with SSO+Kerberos. On login pandion show error message "Bad password".
Spark+SSO+Kerberos work fine with this server.
This is debug output of pandion:
"EVNT: Connecting to orion-farma.lan
SENT: <?xml version="1.0"?>
SENT: <stream:stream>
RECV: <?xml version="1.0" encoding="UTF-8"?><stream:stream>
RECV: <stream:features><starttls><required /></starttls><mechanisms><mechanism>GSSAPI</mechanism></mechanisms></stream:features>
SENT: <starttls />
RECV: <proceed />
SENT: <stream:stream>
RECV: <?xml version="1.0" encoding="UTF-8"?><stream:stream>
RECV: <stream:features><mechanisms><mechanism>GSSAPI</mechanism></mechanisms><compression><method>zlib</method></compression><auth /></stream:features>
SENT: <auth />
RECV: <failure><not-authorized /></failure>
SENT: </stream:stream>
EVNT: Disconnected"
</stream:stream></stream:stream></stream:stream> -
Inappropriate?Thank you for testing and posting your findings. Sadly it appears that the API Windows exposes to Pandion is not compatible with GSSAPI, or at least we haven't yet figured out how it could work. For now Pandion's Single Sign On (SSO) support is only compatible with the NTLM and GSS-SPNEGO mechanisms.4 Comments
Add a comment
This is one of the best points
-
It is fixed ? -
GSSAPI on windows is certainly possible - the Win32 standard build of Thunderbird has 'Secure Password Authentication' mode which allows passwordless login to a Kerberised IMAP/POP3 server.
-
I hope developers find way to Kerberise Pandion.
-
I hope developers find way to Kerberise Pandion.
-
Inappropriate?Please review my spark login logs maybe its help you.
only send packets logged.
<stream:stream>
<starttls />
<stream:stream>
<auth>YIIG1gYJKoZIhvcSAQICAQBuggbFMIIGwaADAgEFoQMCAQ6iBwMFAAAAAACjggXpYYIF5TCCBeGgAwIBBaERGw9PUklPTi1GQVJNQS5MQU6iKzApoAMCAQChIjAgGwR4bXBwGxhvZm5ldG1vbi5vcmlvbi1mYXJtYS5sYW6jggWYMIIFlKADAgERoQMCARCiggWGBIIFgnJfAoltdAo320BdO471x3mLVXM3urfLYM5801FD7B6/D9G2Q2YJIRz5UxNE4dvhM2Y9n74PG7Yvva9xFMqTbYIjYyGM+L39iX6+qusIWas+QE7mdR3YFo4XqeICBANEeD9PO3bTyQIRSk7RJqGZc2VbvkWzj1dyP0/oIvjOdEscNAPu8XISxnrQ30UlsvVvn5SKz3JW/wmfdFafVZ9mLgXYk8CjSyPKXq2fcFOEyiTn5/3AK+toStWIOV9phXM/BLWXVTX8a9ZeW54WvjsL3sCCcP4KHf5UlDLvJUcDCxRRjAu2j7/NM4FVyvitinG2edGPUZTzAymy12PhcabwJdZUGrCcabQ/B+Lve4Eeb/T3vGdou/mqXAA0HpdIWgsmo6KMXoWIXoGAPnrTUGGUzvlK1JWZcQwzQ8lZmtnzEXqvQMEkq+CFJoPz5SeLJtQdPbOY4a+qa5q5wZxeut24RoUTMEkzNJil/2BuWjF5oLMQrKK5RUJ5jlDTfLOzlRlFgtzDSD4iUFRuFO8CWXF5/yqhgyQmlWodeDWv2yCPhtjBMPM0U31gw5XXzRrtsJa4UHfpDDByrssJ4Cacwo1cfZpH2fsNalkorHQ8Wb6zJiL1rBaEM44Lb5NdlwIBnwUadK2e9nXx8ZFIP9VIdcy6hJVnT/gQjP5VwlrOwLIAiKBOHu4Vt5s7+Fl8Zk/KAYx1YOH3tal1pFJ/5t7A2l5yJuI+jTleCssG8wN5uEIs8yU5aagOK2/E5VuzekGbvgjxeIXvbB8xxy6oaWEfu1VuPeNRixNz/8FwLYSdvmIxEDb1V0wFkuaXWqBzocqyRoQ6kkDwrqKy4oYdpyXOCoxB6raF6CWsZliAej93qRWSJtux6Psg6biIwL7zGpVghgwq6eoNWRp3+YUwJkEf7oPOH1mnMofTvhjxIUA+WowptQw+IAPQONSfpMCVJce366B5XdgBqT5yKbZ3PPFaZsWeXt2FaC9iIkMj2eJ1gmxB5ym3Gr9RtfDTm3Ae0A3NySSATFIx+9mVDjY+kSP0xlABiuh4yRX6vt/M8Rb2EyPOL69D4Bk3vgF4+Nm96lD6/i68/r/JYGx0JvLKJFwTUo4yyCyYBgY0CeBn6S6KL/EQoGEeGlDPq/6RfwUb9Dk1J10CZZoJ/etg17f5Ky2mZQY3lO3Lju84AnwEdL/D2ih/IyJ5SlHLsezxkakc6MuSfvKvVvUgP3U+mq9y1jiSDQMnozHo24XSQXhHXBQswtqPl5tLUFfgyL7E40QXBLY/rEPkc19qgddMUYup+Ghfqui8nbzHea2+bm1Nz2Hpoq1sSb+GoFpgDPplKu4NbQRfeJSTipGAk7zOiOmRzZ4GQmr+msJOfVZwM4P/WgCbo7Cwxev1NQ1/5/VFBD1jsOXUJwP8WH2NBxckIAqh/VWaNBDugg6eKH5+t47ndvDsnTAg3+Rug+EZrwEFKq8Y90ekvtuw7SpSzYrm86cbcFBVLnLmRPLGaL0xKWjBHlP1RgZeDDthW3pXYpPvft/6Uayu8S72za894UCIZWcjb0VJBQvx2v6eYjelWjcAJOlHqiFSvVXhLm26EER3qOOIbK82cz6BGUbC3zEtVvHrvvLr6Cz/eXLZHG3xV6l9nkHk5St2f5B3RmP+3AfXJuRWnogpqav+LEEtqw502kH/DTEl+1AfuH62Ip6RlHQlxy06dikCqhvwhPtRB50U0tErNO3uoMcN/tOGWiOEhUPbTjKCDiOWIetCMUSvnKm6J9IOtQQU1T3u3cEAkmdiICkRcJuw5h7A27/GXzlPkB5Dt6ttUCV0rDJM8ogk/U8LWAyBKtTTe+nr1ZMBj6c2xkVnkE5hhz+IQRlNkEels2cb4Rnw69PdlqYhmaSBvjCBu6ADAgEDooGzBIGwxQoa3HM2D2cyfhZMVx60/z2GRHcwo/xejw0XVWS8zwpoJY7pRMlbTbW/IHR3zWWQX8tSKJ/GBGVYS3hxfQEh5ft04Uq2q7xa8rM0OVN+Pli4xKpGjrpRySYE5KmKEwiLmu6UNyNFM5+cAkRB8NExq9Spfz81MMO4ykDQLIhym9l4BjTcqziJOL8SljIQ1fDFknNwF+cezO/mC2ut5x8AtDkOly0uvtKayLNVeBFkhWQ=</auth>
<response>=</response>
<response>YDsGCSqGSIb3EgECAgIBAAD/////+BFpZcNDa7r5kNcjymI1SpGI1Z58VCQcAQEAAGtpcmlsa2luZAMDAw==</response>
<stream:stream>
<iq type="set"><bind><resource>spark</resource></bind></iq>
<iq type="set"><session /></iq></stream:stream></stream:stream></stream:stream> -
Inappropriate?Thanks again for the data. Currently GSSAPI-based SSO will not work in Pandion. You can run your Openfire server on Windows to have NTLM support instead and achieve the same result.
-
Inappropriate?yep - i think this is also stated on the OpenFire hompage - that SSO only works if OpenFire is installed on a Windows computer (doesn't have to be 2003 server - XP works fine)
-
Inappropriate?Sebastiaan, please review this article http://msdn.microsoft.com/en-us/libra...(VS.85).aspx
-
Inappropriate?Thank everyone for the information. The main stumbling block for us is that we don't have a test environment for GSSAPI. Can someone help us by providing a test account on your (already known to work with Spark) Openfire/Linux/GSSAPI setup? I guess VPN or remote desktop would be required.
-
Inappropriate?Sebastiaan, i am provide you test invironment, builded in vmware vm's. please send me software requirements for test environtment to dak6@yandex.ru. unfortunally i am speak in russian and my english is very bad.
-
Inappropriate?@dumsik Thanks, I'll be in touch.
@* Any other suggestions are always welcome. -
Inappropriate?Openfire on linux here with sso and pidgin as client.
It just works by installing Network Identity Manager on the clients.
http://www.secure-endpoints.com/netid...
Maybe thats an option even for pandion?
cheers!
EMPLOYEE
