ejabberd - Comments for "SASL: Disable GSSAPI"

Re:

mfoss — Tue, 26 Apr 2011 10:36:48 +0000

vasq10 wrote:

GSSAPI/Kerberos is not configured on the server.

No, I didn't enable it. It's not clear to me, what to override and how to do it.

Oh, then override_* will not help you on this problem.

Offtopic: you can check in the ejabberd Guide what are the override_* options.

vasq10 wrote:Can I change

mfoss — Tue, 26 Apr 2011 10:34:00 +0000

vasq10 wrote:

Can I change the configuration so that ejabberd doesn't advertise GSSAPI?

With your explanations and what I find in the source code, when GSSAPI support is included into ejabberd, there's no way to stop adverticing it to clients! Even if you remove cyrsasl_gssapi.beam and remove any configuration about gssapi, it is still attempted to load, and adverticed.

The only solution is to modify the source code, and recompile. If you installed ejabberd from a binary package, you will have to do this:
1. Install the erlang compiler (a program called erlc) of the same erlang version you use to run ejabberd (R12, R13, or whatever)
2. Download ejabberd source code
3. In the file src/cyrsasl.erl delete one line:

--- a/src/cyrsasl.erl
+++ b/src/cyrsasl.erl
@@ -51,7 +51,6 @@ start() ->
     ets:new(sasl_mechanism, [named_table,
                             public,
                             {keypos, #sasl_mechanism.mechanism}]),
-    cyrsasl_gssapi:start([]),
     cyrsasl_plain:start([]),
     cyrsasl_digest:start([]),
     cyrsasl_anonymous:start([]),

4. Recompile that file: erlc cyrsasl.erl
5. Copy cyrsasl.beam to your ejabberd installed dir, to overwrite the old file
6. Restart ejabberd. Now GSSAPI isn't announced to clients.

In ejabberd master, and in my updated gssapi-2.1.x branch, GSSAPI support is disabled when not configured.

GSSAPI beam and override

vasq10 — Tue, 26 Apr 2011 06:46:59 +0000

badlop wrote:

ejabberd 2.1.4 does not support GSSAPI. Maybe you are using a custom version that includes that feature.

Yes, probably a patched version. There is a cyrsasl_gssapi.beam, I did rename it but then ejabberd wouldn't start.

vasq10 wrote:

GSSAPI/Kerberos is not configured on the server.

badlop wrote:

But did you enable it in the past? Enable in ejabberd.cfg the options override_*

No, I didn't enable it. It's not clear to me, what to override and how to do it.

vasq10 wrote: I'm having

mfoss — Fri, 22 Apr 2011 19:09:34 +0000

vasq10 wrote:

I'm having problems with authentication: ejabberd (2.1.4 RPM/Centos5) is announcing gssapi and plain for sasl authentication.

ejabberd 2.1.4 does not support GSSAPI. Maybe you are using a custom version that includes that feature.

vasq10 wrote:

GSSAPI/Kerberos is not configured on the server.

But did you enable it in the past? Enable in ejabberd.cfg the options override_*

vasq10 wrote:

(Smack fails if the first mechanism doesn't work :/ )

Oh.

vasq10 wrote:

Can I change the configuration so that ejabberd doesn't advertise GSSAPI?

Try to delete or rename the file cyrsasl_gssapi.beam