Authenticate Against SASL GSSAPI

Note: this patch was included in ejabberd master branch, and will be included in the future ejabberd 3.0.0-alpha releases. You can test it there.

Description (not complete yet)

This contribution provides SASL GSSAPI support to ejabberd as a cyrsasl_gssapi module. It is compatible with SSO as implemented in Spark 2.5.3.

How to Apply the Patch

  1. Download esasl-0.1.tar.gz (alternate download: esasl-0.1.tar.gz, or from esasl github repository). You may need some development files: for example in Debian you can install the package libgsasl7-dev.

  2. Compile and install esasl. Example instructions:

    $ tar -xvzf esasl-0.1.tar.gz
    $ cd esasl-0.1
    $ ./configure --prefix=/usr
    $ make
    $ make install

    This should install esasl-0.1 into /usr/lib/erlang/lib/ directory. Check to make sure.

  3. Go to the directory where you have the ejabberd source code. For example: ejabberd/src/

  4. Download the GSSAPI patch to that directory

  5. Apply the patch:

    $ patch -p2 < gssapi-2.1.0.diff
    patching file cyrsasl_anonymous.erl
    patching file cyrsasl_digest.erl
    patching file cyrsasl.erl
    patching file cyrsasl_gssapi.erl
    patching file cyrsasl_plain.erl
    patching file ejabberd_c2s.erl
    patching file ejabberd.hrl
    patching file ejabberd_net.erl
    
  6. Compile ejabberd:

    $ make
  7. The SASL GSSAPI mechanism uses a authentication backend only to check for a valid user name when authorizing the user. The authentication is done by esasl against a Kerberos key server (KDC). Often Kerberos authentication is combined with LDAP to store user account information. To do that, edit ejabberd.cfg and modify the auth_mehtod depending on what you want to allow. For example:

    {auth_method, [ldap]}.

    Define sasl_realm with the Kerberos realm:

    {sasl_realm, "Kerberos realm"}.

    Manually set the FQDN. ejabberd does a reverse lookup on the connecting IP and uses that FQDN for locating its keytab entry in the keytab file.

    {sasl_fqdn, "dbs.example.com"}.

  8. The environment variable KRB5_KTNAME is the location of the keytab file, and needs to be set before starting ejabberd. The keytab referenced by KRB5_KTNAME should contain the principal xmpp/FQDN, where FQDN is the fully qualified host name of the ejabberd server. For example, in Debian, add the line

    export KRB5_KTNAME="/etc/keytabs/xmpp-dbs.example.com-EXAMPLE.COM.keytab
    to the file /etc/ejabberd/default .

  9. Start ejabberd

Related Links

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Hey, thanks for doing this

Hey,

thanks for doing this patch. I'm curious why it hasn't been included in the standard ejabberd source for 2.1.x, does anyone know this?

I'm currently figuring out how I could achieve OAuth2.0 authentication with ejabberd and it seems that there's a new ietf standard for OAuth2.0 over GSS-API.
Does anyone know how this would work? Would this work without changes to the GSS-API-Patch?

Thanks,

- Michael

I'm interested also. Please

I'm interested also. Please update the patch or, better, just include it into the mainstream. I'm trying to compile current version for ubuntu (2.1.9) with patch applied but still getting the error

========================================================================================
/usr/bin/erlc -W -DSSL40 -pa . cyrsasl_digest.erl
/usr/bin/erlc -W -DSSL40 -pa . cyrsasl_gssapi.erl
./cyrsasl_gssapi.erl:83: argument mismatch for macro 'DEBUG'
./cyrsasl_gssapi.erl:93: argument mismatch for macro 'DEBUG'
./cyrsasl_gssapi.erl:120: argument mismatch for macro 'DEBUG'
./cyrsasl_gssapi.erl:128: argument mismatch for macro 'DEBUG'
./cyrsasl_gssapi.erl:46: function mech_new/1 undefined
./cyrsasl_gssapi.erl:88: function do_step/2 undefined
./cyrsasl_gssapi.erl:56: Warning: record state is unused
make[1]: *** [cyrsasl_gssapi.beam] Error 1
make[1]: Leaving directory `/home/user/prj/ejabberd/ejabberd-2.1.9/src'
dh_auto_build: make -j1 returned exit code 2
make: *** [build-stamp] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
=====================================================================

I have successfully made .deb for esasl with checkinstall, installed it but it seems that erlc is unable to find some deps...
Did anybody have luck with that?

Can you try this patch for

Can you try this patch for ejabberd 2.1.10, and comment if it works correctly or not?
http://tkabber.jabber.ru/files/contributions/gssapi-2.1.10.diff

Hi, badlopI've successfully

Hi, badlop

I've successfully modified former patch to support 2.1.9 but it is broken. It incorrectly manages sasl_ctx record avoiding gssapi initialize properly. I'm trying to backport gssapi stuff from 3.x ver. If you can help me with that please find me on conference at jabber.ru. My nick is ferimy. I'm sure that problem is quite simple and fix should not be complex but I'm weak in erlang sou your help is highly appreciated.
Anyway, I'll look at this patch to see if it's correct.

Update:
at first look patch won't produce mechlist to client at all since it uses

-record(sasl_mechanism, {mechanism, module, password_type, require_plain_password}).

so each module should return false as 3rd arg.

Secondly, you forgot to include "realm" here

-record(state, {sasl,
+ needsmore=true,
+ step=0,
+ host,
+ authid,
+ authzid,
+ authrealm}).

////
Thanks!

New Pathc version

New patch version for ejabberd 2.1.5 from fedora project is present ftp://fr2.rpmfind.net/linux/fedora/development/rawhide/source/SRPMS/ejab... ejabberd-0009-Support-SASL-GSSAPI-authentication-thanks-to-Mikael-.patch

configure: error: You need the ei library

Hi,

This might be a little bit off topic. But I can't seem to install esasl-0.1. When I run configure --prefix=/usr, i get the error and the following logs:

checking ei.h usability... yes
checking ei.h presence... yes
checking for ei.h... yes
checking for ei_decode_version in -lei... no
configure: error: You need the ei library

my erlang library is in /usr/local/lib/erlang/lib. I use FreeBSD 7.2 and installed ejabberd
form port created by http://fujibayashi.jp/2009/12/13/amusingly-enough-freebsd-and-ejabberd/

Hope you can shed a light on this.

Thanks.

Re: configure: error: You need the ei library

You need to tell the script where your libei.a is located (I have mine at /usr/local/lib/erlang/lib/erl_interface-3.6.4/lib/libei.a). So you need to add this switch to configure: -CPPFLAGS="-L/your/path/to/lib".
You may also encounter some problems after successful configure, in the gmake phase. I had to modify the Makefile files that were made by configure script. To be specific, I had to tweak the esasl/c_src/Makefile to make the variable GSASL_LIBS to include that same string. Now I have that line look like this:
GSASL_LIBS = -L/usr/local/lib -L/usr/local/lib/erlang/lib/erl_interface-3.6.4/lib -lgsasl
Hope this helps.

PS. Note to mikma: It would be nice if you could modify the configuration script so that the commands that make use of that GSASL_LIBS thing would also note the contents of the CPPFLAGS. Thank you for help.

I have improved the configure

I have improved the configure script on github: http://github.com/mikma/esasl

/Mikael

Hi mikekaganski! Thank you

Hi mikekaganski!

Thank you for your help. Installation worked. I had to change GSASL_LIBS in all Makefile, though. After installation and patching, i recompiled to new beam files and manually copied them to the erlang dir. My ejabberd then could not start properly so I had to revert to the old beam files. I will try to search for more clues.

Thanks again!

Maybe you need to make

Maybe you need to make install ejabberd to make it work? I haven't installed it on my test machine until I've patched it (I "make configure" ejabberd port to cause it to download and unpack the tarball, then patched it, then issued "make install"). Maybe you need to "make deinstall && make clean && make install"? Or maybe just make clean the ejabberd port before recompiling the new beams?

Patch for ejabberd svn 2638 (2.1.0-rc2)

I have taken the patch here and modified it to compile against 2.1.0-rc2 (which is yet in development). I have tested it and it works fine. Also I have added the below new configuration option.

{sasl_fqdn, "dbs.example.com"}

From what I know, ejabberd does a reverse lookup on the connecting IP and uses that FQDN for locating its keytab entry in the keytab file. This option helps to manually set the FQDN. But it should be noted that once this option is used, upon removing it, ejabberd will continue to use the same fqdn rather than reverting to the original behaviour (perhaps the fqdn is getting cached somewhere in the mnesia database). Therefore if you need to use another fqdn, then you have to change the value of this configuration option and the new fqdn will be used from the next time you start ejabberd. The same concern has been raised by me at http://www.ejabberd.im/node/3098#comment-53676. Any input on how this could be fixed is appreciated.

Also I noted that the patch (or the internal sasl library) recognizes the environment variable KRB5_KTNAME for setting the location of the keytab file. So for example, if you are using Debian, adding the line

export KRB5_KTNAME="/etc/keytabs/xmpp-dbs.example.com-EXAMPLE.COM.keytab"

to /etc/ejabberd/default will set the location of the keytab file in which the keytab entry should be searched.

The installation of the patch is the same as described above. Except that in step 5 instead of using "-p0", you should use "-p1".

I am temporarily uploading the file to my personal server. It can be downloaded at http://rahul.amaram.name/sites/default/blog/gssapi.patch. I would greatly appreciate it if someone could take this and add it here soon.

Patch uploaded, documentation updated.

> it would be wise to review the patch in case you are planning to add it here :).

I verified that your patch applies and compiles correctly in ejabberd trunk SVN (2.1.0-rc2). I can't test its operation because I know nothing about GSSAPI. In any case, the previous versions of the patch were also untested, and are available in case of any problem with your one.

> take this and add it here

I've uploaded your patch to the page, added a link and improved the documentation with your explanations.

> once this option is used, upon removing it, ejabberd will continue to use the same fqdn

That behavior of ejabberd.cfg is normal, see the ejabberd Guide: "The content from this file will be parsed and stored in the internal ejabberd database. Subsequently the configuration will be loaded from the database and any commands in the configuration file are appended to the entries in the database."

To avoid that behavior, you can use the override* lines. See the Guide.

Kindly review it

Just to add a small note. I hardly know erlang. I applied the gssapi patch for 2.0.5 against 2.1.0, resolved the conflicts, made modifications which seemed sensible and generated the patch. I've tested it and it works. Anyway, I think it would be wise to review the patch in case you are planning to add it here :).

GSSAPI on ejabberd 2.0.x

I have tested the GSSAPI patch for ejabberd 2.0.1, and 2.0.3. Both patches work with esasl 0.1, and the patch for 2.0.3 also works on 2.0.5.

Unfortunately it's not possible to use both internal and ldap authentication in version 2.0.3 and newer (using "auth_method, [internal, ldap]."), neither with or without the esasl patch.

I have created a esasl repository on github, and uploaded the 0.1 release: http://github.com/mikma/esasl/tree/master

/Mikael

GSSAPI patch for version >= 2.0.0

Hi,
Is this patch expected to be upgraded anytime soon so that it can for work for ejabberd versions >= 2.0.0?

Regards,
Rahul.

Installing esasl

These were the steps I followed on debian etch for installing esasl

# apt-get install erlang libgsasl7-dev (first install dependencies)
# wget "http://www.hem.za.org/esasl/esasl-0.1.tar.gz"
# tar -xvzf esasl-0.1.tar.gz
# cd esasl-0.1
# ./configure --prefix=/usr
# make
# make install

This should install esasl-0.1 into /usr/lib/erlang/lib/ directory. Check to make sure.

Instructions added.

Thanks, I've added your instructions to the general instructions.

First of all, download, compile and install 'esasl'.

"Since the library esasl is used to authenticate the user instead of using the usual auth backends, you need install that library. It's distributed as a patch to jungerl: http://hem.no-ip.info/esasl2.patch (alternate download: esasl2.patch)"

"First of all, download, compile and install 'esasl'."

Well, you could be a little more helpfull on this part because for someone new to erlang it's far from being intuitive.
Figuring out what jungerl is and how to get it is only the first part [http://jungerl.sourceforge.net/]
Next you have to make it build. Don't forget to install libgsasl7-dev (well at least for debian/etch) before everything
and if the configure is failing, runnning aclocal and autoconf in the config directory can help.

And that's only the first part, since (as of now) a make all of jungerl doesn't complete (even without the patch).
Also there seem to be a missing Makefile in the patch (for lib/esasl/ folder).

As for me i copied the egssapi/Makefile in esasl and builded thoses two directory using "make" in each, after creating the ebin and priv directory manually
since the Makefile didn't create them

And next how to install, as for me i copied the ebin directories in some /usr/lib/erlang/lib/esasl/ and /usr/lib/erlang/lib/egssapi/

Hello! Where I can get

Hello!

Where I can get "esasl", because in direct link this pkg don't access, site is down. And I need help, should I path original esasl with esasl2.path? This very strange instruction...but gssapi support need..

Added working link, added steps

I've updated the instructions: now there is a working link to esasl, and steps to install it.

Can't make ejabberd 1.1.2

Can't make ejabberd 1.1.2 after pathed

/usr/bin/erlc -W XmppAddr.erl
/usr/bin/erlc -W ejabberd_s2s_in.erl
./ejabberd_s2s_in.erl:33: can't find include lib "ssl/include/PKIX1Explicit88.hrl"
./ejabberd_s2s_in.erl:34: can't find include lib "ssl/include/PKIX1Implicit88.hrl"
./ejabberd_s2s_in.erl:574: undefined macro ''id-at-commonName''
./ejabberd_s2s_in.erl:259: function get_cert_domains/1 undefined
make: *** [ejabberd_s2s_in.beam] Error 1

Version 2.0.1/2.0.3 #make done, but didn't started normally, process is started but jabberd ports not opened.

---
Debian Lenny | 2.6.26-2-686

ejabberd 1.1.x requires Erlang R11. Three solutions

You use Debian Lenny, so you probably have Erlang/OTP R12B-3. The Debian package is called erlang 1:12.b.3-dfsg-4.

However, ejabberd 1.1.x don't support R12. You have three different solutions:

  • Apply the small ejab-446.patch to your ejabberd 1.1.2, and then compile it with your current Erlang R12.
  • Install some old Erlang R11 (from Debian Etch for example), and then compile ejabberd 1.1.2.
  • Download ejabberd 2.0.3 and the GSSAPI patch for that version, and then compile it with your current Erlang R12.

where bug?

After pathed and compiled ejabberd-2.0.3 it started normally, but authorization over GSSAPI dont working

LOG:

=INFO REPORT==== 2009-05-12 19:49:34 ===
D(<0.466.0>:ejabberd_c2s:1352) : Send XML on stream = "<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='3352739445' from='mydomain.com' version='1.0' xml:lang='en'>"

=INFO REPORT==== 2009-05-12 19:49:34 ===
I(<0.466.0>:ejabberd_c2s:253) : FQDN: "jabber.mydomain.com"

=INFO REPORT==== 2009-05-12 19:55:30 ===
D(<0.476.0>:ejabberd_c2s:1352) : Send XML on stream = "<stream:features><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>GSSAPI</mechanism><mechanism>PLAIN</mechanism>
</mechanisms><register xmlns='http://jabber.org/features/iq-register'/></stream:features>"

Client Gajim password required

Russian Guide http://my.opera.com/Zl0/blog/2009/06/09/jabber-gssapi-ldap

GSSAPI support in EJABBERD

Hello,

Do you have any updates about GSSAPI support build-in ejabberd? This is the only blocker for my company to move away from openfire.

Thank you.

bad_match

Hello,

thank you for the patch and this guide. They're both great! I've successfully patched ejabberd 2.1.0 and run it under Ubuntu Linux. However, I've now been trying to authenticate with Pidgin to ejabberd for several days and could not handle it. And I'm clueless.

When using myhost.mydomain as domain in Pidgin (which should be incorrect), I receive a ticket for usage of ejabberd but ejabberd returns an error:

{{badmatch,{error,{gsasl_error,43}}},
  [{cyrsasl_gssapi,mech_new,1},
  {cyrsasl,server_start,3},
  {ejabberd_c2s,wait_for_feature_request,2},
  {gen_fsm,handle_msg,7},
  {proc_lib,init_p_do_apply,3}]}

Unfortunately, I don't understand what is meant by this error message. Could you please help me?

Oliver Smith

I don't know what's the

I don't know what's the problem. The only I can do is to look at the code. The error indicates that this call:

esasl:server_start(?SERVER, "GSSAPI", "xmpp", FQDN),

returns

{error,{gsasl_error,43}}

but it should return something like

{ok, Sasl}

Looking in the esasl code, this error 43 is generated by this C code:

    if (ei_get_type(buf, &index, &type, &len)) return 43;

That Erlang function is documented here: http://www.erlang.org/doc/man/ei.html#ei_get_type

The error code 43

I came across the same problem, and it was solved by changing the actual server hostname to match the xmpp/$FQDN in the keytab.

The error code 43 was returned by call to gsasl_server_start() in esasl code, meaning GSASL_GSSAPI_ACQUIRE_CRED_ERROR (see http://original.jamesthornton.com/gnu/gsasl/Error-values.html and /usr/include/gsasl.h).

Hi!Could you please tell me

Hi!

Just for history: this error primarily means that something is wrong in full principal name, e.g. XMPP/im.domain.org@DOMAIN.ORG. In my case it was the service name (LOL, I even digged into the C code until found how it works).

Good luck!

GSSAPI error

Hi all,

thank you for your help, badlop. I've tried to use the patch with eJabberd 1.1.2 and run into another error. This time, eJabberd should have almost done it. The error says:

Error: GSSAPI error in server while negotiating security context in gss_init_sec_context() in SASL library.  This is most likely due insufficient credentials or malicious interactions.
<0.221.0>: Result <0.282.0>: {error,{gsasl,40}}

Has someone experienced this error before using eJabberd and GSSAPI?

Thanks for your help.

Oliver Smith

Hey

I've got exactly the same error after many hours spent integrating GSSAPI patches into the 2.1.9 .deb. I think that the var KRB5_KTNAME is not properly read from the environment so I'm currently debugging this issue. If someone can help to understand it such help would be highly appreciated.

I was able to get rid of this

I was able to get rid of this error after checking my host/domain names. If someone runs in this error please pay attention to the contents of /etc/resolv.conf, hostname and hosts file. They should NOT contain any error.
Hope it help.

Syndicate content