25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-26 16:26:24 +01:00

Document GSSAPI (EJAB-831)

This commit is contained in:
Badlop 2010-04-15 17:20:57 +02:00
parent 07e459d577
commit f5dc8d2f78
3 changed files with 92 additions and 1 deletions

1
README
View File

@ -16,6 +16,7 @@ To compile ejabberd you need:
- Erlang mysql library. Optional. MySQL authentication/storage.
- Erlang pgsql library. Optional. PostgreSQL authentication/storage.
- PAM library. Optional. For Pluggable Authentication Modules (PAM).
- ESASL library. Optional. For SASL GSSAPI authentication.
- ImageMagick's Convert program. Optional. For CAPTCHA challenges.

View File

@ -350,6 +350,7 @@ GNU Make
</LI><LI CLASS="li-itemize">Erlang mysql library. Optional. For MySQL authentication or storage. See section <A HREF="#compilemysql">3.2.1</A>.
</LI><LI CLASS="li-itemize">Erlang pgsql library. Optional. For PostgreSQL authentication or storage. See section <A HREF="#compilepgsql">3.2.3</A>.
</LI><LI CLASS="li-itemize">PAM library. Optional. For Pluggable Authentication Modules (PAM). See section <A HREF="#pam">3.1.4</A>.
</LI><LI CLASS="li-itemize">ESASL library. Optional. For SASL GSSAPI authentication. See section <A HREF="#gssapi">3.1.4</A>.
</LI><LI CLASS="li-itemize">ImageMagick&#X2019;s Convert program. Optional. For CAPTCHA challenges. See section <A HREF="#captcha">3.1.8</A>.
</LI></UL><P> <A NAME="download"></A> </P><!--TOC subsection Download Source Code-->
<H3 CLASS="subsection"><!--SEC ANCHOR --><A NAME="htoc10">2.4.2</A>&#XA0;&#XA0;<A HREF="#download">Download Source Code</A></H3><!--SEC END --><P> <A NAME="download"></A>
@ -1027,6 +1028,7 @@ database storage in internal Mnesia or ODBC &#X2014; See section&#XA0;<A HREF="#
</LI><LI CLASS="li-itemize">ldap &#X2014; See section&#XA0;<A HREF="#ldap">3.2.5</A>.
</LI><LI CLASS="li-itemize">anonymous &#X2014; See section&#XA0;<A HREF="#saslanonymous">3.1.4</A>.
</LI><LI CLASS="li-itemize">pam &#X2014; See section&#XA0;<A HREF="#pam">3.1.4</A>.
</LI><LI CLASS="li-itemize">a method with SASL GSSAPI &#X2014; See section&#XA0;<A HREF="#gssapi">3.1.4</A>.
</LI></UL><P>Account creation is only supported by the methods:
internal Mnesia storage, ODBC storage, and external.</P><P> <A NAME="authstorage"></A> </P><!--TOC subsubsection Database Storage-->
<H4 CLASS="subsubsection"><!--SEC ANCHOR --><A HREF="#authstorage">Database Storage</A></H4><!--SEC END --><P> <A NAME="authstorage"></A>
@ -1178,7 +1180,40 @@ attacks.
module provides such functionality.
</LI><LI CLASS="li-itemize">If you use <TT>pam_winbind</TT> to authorise against a Windows Active Directory,
then <TT>/etc/nssswitch.conf</TT> must be configured to use <TT>winbind</TT> as well.
</LI></UL><P> <A NAME="accessrules"></A> </P><!--TOC subsection Access Rules-->
</LI></UL><P> <A NAME="gssapi"></A> </P><!--TOC subsubsection SASL GSSAPI Authentication-->
<H4 CLASS="subsubsection"><!--SEC ANCHOR --><A HREF="#gssapi">SASL GSSAPI Authentication</A></H4><!--SEC END --><P> <A NAME="gssapi"></A>
</P><P><TT>ejabberd</TT> supports SASL GSSAPI authentication.
It is compatible with SSO as implemented in Spark 2.5.3.</P><P>To use this feature, you have to download the <TT>esasl</TT> library
source code from
<A HREF="http://github.com/mikma/esasl">http://github.com/mikma/esasl</A>,
compile and install it. Example instructions:
</P><PRE CLASS="verbatim">git clone git://github.com/mikma/esasl.git
cd esasl
./configure --prefix=/usr
make
sudo make install
</PRE><P>After doing this, check that esasl was installed in the <TT>/usr/lib/erlang/lib/</TT> directory.
For compiling esasl, maybe you need to get some development files;
(for example, in Debian, the package <TT>libgsasl7-dev</TT>).</P><P>The SASL GSSAPI mechanism uses a authentication backend only to check for a
valid user name when authorizing the user.
The authentication is done by esasl against a Kerberos key server (KDC).
Often Kerberos authentication is combined with LDAP to store user account information.
To do that, edit <TT>ejabberd.cfg</TT> and modify the <TT>auth_mehtod</TT> depending
on what you want to allow. For example:
</P><PRE CLASS="verbatim">{auth_method, [ldap]}.
</PRE><P>Now define the Kerberos realm:
</P><PRE CLASS="verbatim">{sasl_realm, "Kerberos realm"}.
</PRE><P>and manually set the FQDN.
<TT>ejabberd</TT> does a reverse lookup on the connecting IP and uses
that FQDN for locating its keytab entry in the keytab file.
</P><PRE CLASS="verbatim">{sasl_fqdn, "dbs.example.com"}.
</PRE><P>The environment variable <TT>KRB5_KTNAME</TT> is the location of the keytab file,
and needs to be set before starting ejabberd.
The keytab referenced by <TT>KRB5_KTNAME</TT> should contain the principal xmpp/FQDN,
where FQDN is the fully qualified host name of the ejabberd server.
For example, in Debian, add to the file <TT>/etc/ejabberd/default</TT> the line:
</P><PRE CLASS="verbatim">export KRB5_KTNAME="/etc/keytabs/xmpp-dbs.example.com-EXAMPLE.COM.keytab
</PRE><P> <A NAME="accessrules"></A> </P><!--TOC subsection Access Rules-->
<H3 CLASS="subsection"><!--SEC ANCHOR --><A NAME="htoc25">3.1.5</A>&#XA0;&#XA0;<A HREF="#accessrules">Access Rules</A></H3><!--SEC END --><P> <A NAME="accessrules"></A>
</P><P> <A NAME="ACLDefinition"></A> </P><!--TOC subsubsection ACL Definition-->
<H4 CLASS="subsubsection"><!--SEC ANCHOR --><A HREF="#ACLDefinition">ACL Definition</A></H4><!--SEC END --><P> <A NAME="ACLDefinition"></A>

View File

@ -316,6 +316,7 @@ To compile \ejabberd{} on a `Unix-like' operating system, you need:
\item Erlang mysql library. Optional. For MySQL authentication or storage. See section \ref{compilemysql}.
\item Erlang pgsql library. Optional. For PostgreSQL authentication or storage. See section \ref{compilepgsql}.
\item PAM library. Optional. For Pluggable Authentication Modules (PAM). See section \ref{pam}.
\item ESASL library. Optional. For SASL GSSAPI authentication. See section \ref{gssapi}.
\item ImageMagick's Convert program. Optional. For CAPTCHA challenges. See section \ref{captcha}.
\end{itemize}
@ -1178,6 +1179,7 @@ The following authentication methods are supported by \ejabberd{}:
\item ldap --- See section~\ref{ldap}.
\item anonymous --- See section~\ref{saslanonymous}.
\item pam --- See section~\ref{pam}.
\item a method with SASL GSSAPI --- See section~\ref{gssapi}.
\end{itemize}
Account creation is only supported by the methods:
@ -1400,6 +1402,59 @@ module provides such functionality.
then \term{/etc/nssswitch.conf} must be configured to use \term{winbind} as well.
\end{itemize}
\makesubsubsection{gssapi}{SASL GSSAPI Authentication}
\ind{SASL GSSAPI authentication}
\ejabberd{} supports SASL GSSAPI authentication.
It is compatible with SSO as implemented in Spark 2.5.3.
To use this feature, you have to download the \term{esasl} library
source code from
\footahref{http://github.com/mikma/esasl}{http://github.com/mikma/esasl},
compile and install it. Example instructions:
\begin{verbatim}
git clone git://github.com/mikma/esasl.git
cd esasl
./configure --prefix=/usr
make
sudo make install
\end{verbatim}
After doing this, check that esasl was installed in the \term{/usr/lib/erlang/lib/} directory.
For compiling esasl, maybe you need to get some development files;
(for example, in Debian, the package \term{libgsasl7-dev}).
The SASL GSSAPI mechanism uses a authentication backend only to check for a
valid user name when authorizing the user.
The authentication is done by esasl against a Kerberos key server (KDC).
Often Kerberos authentication is combined with LDAP to store user account information.
To do that, edit \term{ejabberd.cfg} and modify the \term{auth\_mehtod} depending
on what you want to allow. For example:
\begin{verbatim}
{auth_method, [ldap]}.
\end{verbatim}
Now define the Kerberos realm:
\begin{verbatim}
{sasl_realm, "Kerberos realm"}.
\end{verbatim}
and manually set the FQDN.
\ejabberd{} does a reverse lookup on the connecting IP and uses
that FQDN for locating its keytab entry in the keytab file.
\begin{verbatim}
{sasl_fqdn, "dbs.example.com"}.
\end{verbatim}
The environment variable \term{KRB5\_KTNAME} is the location of the keytab file,
and needs to be set before starting ejabberd.
The keytab referenced by \term{KRB5\_KTNAME} should contain the principal xmpp/FQDN,
where FQDN is the fully qualified host name of the ejabberd server.
For example, in Debian, add to the file \term{/etc/ejabberd/default} the line:
\begin{verbatim}
export KRB5_KTNAME="/etc/keytabs/xmpp-dbs.example.com-EXAMPLE.COM.keytab
\end{verbatim}
\makesubsection{accessrules}{Access Rules}
\ind{access rules}\ind{ACL}\ind{Access Control List}