Single sign on with Active directory and Kerberos V

1,118 views
Skip to first unread message

Mansur Mamkin

unread,
Feb 22, 2012, 10:57:26 PM2/22/12
to Prosody IM Users
Hi all!
Is possible to setup single sign on (SSO) with Active directory (AD)
and Kerberos 5 using Prosody?
I've installed Prosody 0.8 on CentOS 6 and I have AD domain (Windows
2008 as domain controller).
I already have working SSO to samba shares on CentOS, so kerberos
works fine.
Now I'd like to have kerberos authentication with Miranda IM and
Prosody.
Any help would be appreciated.

Matthew Wild

unread,
Feb 23, 2012, 6:44:05 AM2/23/12
to prosod...@googlegroups.com
Hi,

On 23 February 2012 03:57, Mansur Mamkin <mma...@gmail.com> wrote:
> Hi all!
> Is possible to setup single sign on (SSO) with Active directory (AD)
> and Kerberos 5 using Prosody?

Yes, I believe it is possible. However... I personally have no idea
how to set it up :)

I know a couple of people are using Prosody this way, the first person
contributed support for Cyrus SASL specifically to allow it:
http://prosody.im/doc/cyrus_sasl - this documentation covers the
Prosody side of everything, but setting up the other pieces of the
architecture (the client, directory and Cyrus SASL itself) I hope you
can figure out.

If you do manage to get it working, or if anyone reading this knows
how to, I would dearly love a how-to for the whole thing...

Regards,
Matthew

PS. I didn't know Miranda supported Kerberos, but I haven't used it
for a long time. If it doesn't, Pidgin and Pandion are two clients
that I know do (and are confirmed to work with Prosody).

Mansur Mamkin

unread,
Feb 24, 2012, 4:26:20 AM2/24/12
to Prosody IM Users
Now I've got working sasl2-sample-server / sasl2-sample-client pair
via gssapi mechanism.
Concerning Prosody, I'm looking at /usr/lib64/prosody/util/sasl, there
are only anonymous, digest-md5, plain, scram modules there. As I
understand, gssapi module is missing :(
Should I turn myself to prosody-dev mailing list?

Mansur Mamkin

unread,
Feb 23, 2012, 11:41:19 PM2/23/12
to Prosody IM Users
I know Miranda IM supports Kerberos, because my friend already tested
it with ejabberd 2 (+ gssapi patch),
but I'm interested to get the same with Prosody. I've spent several
days trying to understand SASL, gssapi etc, but so far
unsuccessfully.
If anyone else is enterested too and can help, I would be glad to
provide some testing environment with AD domain
I think this also would help to increase the popularity of Prosody

Regards,
Mansur
Reply all
Reply to author
Forward
0 new messages