Document GSSAPI (EJAB-831)
This commit is contained in:
Badlop
parent
07e459d577
commit
f5dc8d2f78
1
README
1
README
|
|
@ -16,6 +16,7 @@ To compile ejabberd you need:
|
|||
- Erlang mysql library. Optional. MySQL authentication/storage.
|
||||
- Erlang pgsql library. Optional. PostgreSQL authentication/storage.
|
||||
- PAM library. Optional. For Pluggable Authentication Modules (PAM).
|
||||
- ESASL library. Optional. For SASL GSSAPI authentication.
|
||||
- ImageMagick's Convert program. Optional. For CAPTCHA challenges.
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -350,6 +350,7 @@ GNU Make
|
|||
</LI><LI CLASS="li-itemize">Erlang mysql library. Optional. For MySQL authentication or storage. See section <A HREF="#compilemysql">3.2.1</A>.
|
||||
</LI><LI CLASS="li-itemize">Erlang pgsql library. Optional. For PostgreSQL authentication or storage. See section <A HREF="#compilepgsql">3.2.3</A>.
|
||||
</LI><LI CLASS="li-itemize">PAM library. Optional. For Pluggable Authentication Modules (PAM). See section <A HREF="#pam">3.1.4</A>.
|
||||
</LI><LI CLASS="li-itemize">ESASL library. Optional. For SASL GSSAPI authentication. See section <A HREF="#gssapi">3.1.4</A>.
|
||||
</LI><LI CLASS="li-itemize">ImageMagick’s Convert program. Optional. For CAPTCHA challenges. See section <A HREF="#captcha">3.1.8</A>.
|
||||
</LI></UL><P> <A NAME="download"></A> </P><!--TOC subsection Download Source Code-->
|
||||
<H3 CLASS="subsection"><!--SEC ANCHOR --><A NAME="htoc10">2.4.2</A>  <A HREF="#download">Download Source Code</A></H3><!--SEC END --><P> <A NAME="download"></A>
|
||||
|
|
@ -1027,6 +1028,7 @@ database storage in internal Mnesia or ODBC — See section <A HREF="#
|
|||
</LI><LI CLASS="li-itemize">ldap — See section <A HREF="#ldap">3.2.5</A>.
|
||||
</LI><LI CLASS="li-itemize">anonymous — See section <A HREF="#saslanonymous">3.1.4</A>.
|
||||
</LI><LI CLASS="li-itemize">pam — See section <A HREF="#pam">3.1.4</A>.
|
||||
</LI><LI CLASS="li-itemize">a method with SASL GSSAPI — See section <A HREF="#gssapi">3.1.4</A>.
|
||||
</LI></UL><P>Account creation is only supported by the methods:
|
||||
internal Mnesia storage, ODBC storage, and external.</P><P> <A NAME="authstorage"></A> </P><!--TOC subsubsection Database Storage-->
|
||||
<H4 CLASS="subsubsection"><!--SEC ANCHOR --><A HREF="#authstorage">Database Storage</A></H4><!--SEC END --><P> <A NAME="authstorage"></A>
|
||||
|
|
@ -1178,7 +1180,40 @@ attacks.
|
|||
module provides such functionality.
|
||||
</LI><LI CLASS="li-itemize">If you use <TT>pam_winbind</TT> to authorise against a Windows Active Directory,
|
||||
then <TT>/etc/nssswitch.conf</TT> must be configured to use <TT>winbind</TT> as well.
|
||||
</LI></UL><P> <A NAME="accessrules"></A> </P><!--TOC subsection Access Rules-->
|
||||
</LI></UL><P> <A NAME="gssapi"></A> </P><!--TOC subsubsection SASL GSSAPI Authentication-->
|
||||
<H4 CLASS="subsubsection"><!--SEC ANCHOR --><A HREF="#gssapi">SASL GSSAPI Authentication</A></H4><!--SEC END --><P> <A NAME="gssapi"></A>
|
||||
</P><P><TT>ejabberd</TT> supports SASL GSSAPI authentication.
|
||||
It is compatible with SSO as implemented in Spark 2.5.3.</P><P>To use this feature, you have to download the <TT>esasl</TT> library
|
||||
source code from
|
||||
<A HREF="http://github.com/mikma/esasl">http://github.com/mikma/esasl</A>,
|
||||
compile and install it. Example instructions:
|
||||
</P><PRE CLASS="verbatim">git clone git://github.com/mikma/esasl.git
|
||||
cd esasl
|
||||
./configure --prefix=/usr
|
||||
make
|
||||
sudo make install
|
||||
</PRE><P>After doing this, check that esasl was installed in the <TT>/usr/lib/erlang/lib/</TT> directory.
|
||||
For compiling esasl, maybe you need to get some development files;
|
||||
(for example, in Debian, the package <TT>libgsasl7-dev</TT>).</P><P>The SASL GSSAPI mechanism uses a authentication backend only to check for a
|
||||
valid user name when authorizing the user.
|
||||
The authentication is done by esasl against a Kerberos key server (KDC).
|
||||
Often Kerberos authentication is combined with LDAP to store user account information.
|
||||
To do that, edit <TT>ejabberd.cfg</TT> and modify the <TT>auth_mehtod</TT> depending
|
||||
on what you want to allow. For example:
|
||||
</P><PRE CLASS="verbatim">{auth_method, [ldap]}.
|
||||
</PRE><P>Now define the Kerberos realm:
|
||||
</P><PRE CLASS="verbatim">{sasl_realm, "Kerberos realm"}.
|
||||
</PRE><P>and manually set the FQDN.
|
||||
<TT>ejabberd</TT> does a reverse lookup on the connecting IP and uses
|
||||
that FQDN for locating its keytab entry in the keytab file.
|
||||
</P><PRE CLASS="verbatim">{sasl_fqdn, "dbs.example.com"}.
|
||||
</PRE><P>The environment variable <TT>KRB5_KTNAME</TT> is the location of the keytab file,
|
||||
and needs to be set before starting ejabberd.
|
||||
The keytab referenced by <TT>KRB5_KTNAME</TT> should contain the principal xmpp/FQDN,
|
||||
where FQDN is the fully qualified host name of the ejabberd server.
|
||||
For example, in Debian, add to the file <TT>/etc/ejabberd/default</TT> the line:
|
||||
</P><PRE CLASS="verbatim">export KRB5_KTNAME="/etc/keytabs/xmpp-dbs.example.com-EXAMPLE.COM.keytab
|
||||
</PRE><P> <A NAME="accessrules"></A> </P><!--TOC subsection Access Rules-->
|
||||
<H3 CLASS="subsection"><!--SEC ANCHOR --><A NAME="htoc25">3.1.5</A>  <A HREF="#accessrules">Access Rules</A></H3><!--SEC END --><P> <A NAME="accessrules"></A>
|
||||
</P><P> <A NAME="ACLDefinition"></A> </P><!--TOC subsubsection ACL Definition-->
|
||||
<H4 CLASS="subsubsection"><!--SEC ANCHOR --><A HREF="#ACLDefinition">ACL Definition</A></H4><!--SEC END --><P> <A NAME="ACLDefinition"></A>
|
||||
|
|
|
|||
|
|
@ -316,6 +316,7 @@ To compile \ejabberd{} on a `Unix-like' operating system, you need:
|
|||
\item Erlang mysql library. Optional. For MySQL authentication or storage. See section \ref{compilemysql}.
|
||||
\item Erlang pgsql library. Optional. For PostgreSQL authentication or storage. See section \ref{compilepgsql}.
|
||||
\item PAM library. Optional. For Pluggable Authentication Modules (PAM). See section \ref{pam}.
|
||||
\item ESASL library. Optional. For SASL GSSAPI authentication. See section \ref{gssapi}.
|
||||
\item ImageMagick's Convert program. Optional. For CAPTCHA challenges. See section \ref{captcha}.
|
||||
\end{itemize}
|
||||
|
||||
|
|
@ -1178,6 +1179,7 @@ The following authentication methods are supported by \ejabberd{}:
|
|||
\item ldap --- See section~\ref{ldap}.
|
||||
\item anonymous --- See section~\ref{saslanonymous}.
|
||||
\item pam --- See section~\ref{pam}.
|
||||
\item a method with SASL GSSAPI --- See section~\ref{gssapi}.
|
||||
\end{itemize}
|
||||
|
||||
Account creation is only supported by the methods:
|
||||
|
|
@ -1400,6 +1402,59 @@ module provides such functionality.
|
|||
then \term{/etc/nssswitch.conf} must be configured to use \term{winbind} as well.
|
||||
\end{itemize}
|
||||
|
||||
|
||||
\makesubsubsection{gssapi}{SASL GSSAPI Authentication}
|
||||
\ind{SASL GSSAPI authentication}
|
||||
|
||||
\ejabberd{} supports SASL GSSAPI authentication.
|
||||
It is compatible with SSO as implemented in Spark 2.5.3.
|
||||
|
||||
To use this feature, you have to download the \term{esasl} library
|
||||
source code from
|
||||
\footahref{http://github.com/mikma/esasl}{http://github.com/mikma/esasl},
|
||||
compile and install it. Example instructions:
|
||||
\begin{verbatim}
|
||||
git clone git://github.com/mikma/esasl.git
|
||||
cd esasl
|
||||
./configure --prefix=/usr
|
||||
make
|
||||
sudo make install
|
||||
\end{verbatim}
|
||||
After doing this, check that esasl was installed in the \term{/usr/lib/erlang/lib/} directory.
|
||||
For compiling esasl, maybe you need to get some development files;
|
||||
(for example, in Debian, the package \term{libgsasl7-dev}).
|
||||
|
||||
The SASL GSSAPI mechanism uses a authentication backend only to check for a
|
||||
valid user name when authorizing the user.
|
||||
The authentication is done by esasl against a Kerberos key server (KDC).
|
||||
Often Kerberos authentication is combined with LDAP to store user account information.
|
||||
To do that, edit \term{ejabberd.cfg} and modify the \term{auth\_mehtod} depending
|
||||
on what you want to allow. For example:
|
||||
\begin{verbatim}
|
||||
{auth_method, [ldap]}.
|
||||
\end{verbatim}
|
||||
|
||||
Now define the Kerberos realm:
|
||||
\begin{verbatim}
|
||||
{sasl_realm, "Kerberos realm"}.
|
||||
\end{verbatim}
|
||||
and manually set the FQDN.
|
||||
\ejabberd{} does a reverse lookup on the connecting IP and uses
|
||||
that FQDN for locating its keytab entry in the keytab file.
|
||||
\begin{verbatim}
|
||||
{sasl_fqdn, "dbs.example.com"}.
|
||||
\end{verbatim}
|
||||
|
||||
The environment variable \term{KRB5\_KTNAME} is the location of the keytab file,
|
||||
and needs to be set before starting ejabberd.
|
||||
The keytab referenced by \term{KRB5\_KTNAME} should contain the principal xmpp/FQDN,
|
||||
where FQDN is the fully qualified host name of the ejabberd server.
|
||||
For example, in Debian, add to the file \term{/etc/ejabberd/default} the line:
|
||||
\begin{verbatim}
|
||||
export KRB5_KTNAME="/etc/keytabs/xmpp-dbs.example.com-EXAMPLE.COM.keytab
|
||||
\end{verbatim}
|
||||
|
||||
|
||||
\makesubsection{accessrules}{Access Rules}
|
||||
\ind{access rules}\ind{ACL}\ind{Access Control List}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue