Home » Forums » ejabberd & XMPP » ejabberd Administration

SASL: Disable GSSAPI

Submitted by vasq10 on Thu, 2011-04-21 10:06

Hi,

I'm having problems with authentication: ejabberd (2.1.4 RPM/Centos5) is announcing gssapi and plain for sasl authentication. GSSAPI/Kerberos is not configured on the server. (Smack fails if the first mechanism doesn't work :/ ) Can I change the configuration so that ejabberd doesn't advertise GSSAPI?

Thanks,

Andreas.

‹ Ldap uids and JID problem I can connect with iChat, but not with Smack ›

vasq10 wrote: I'm having

Submitted by mfoss on Fri, 2011-04-22 19:09.
vasq10 wrote:

I'm having problems with authentication: ejabberd (2.1.4 RPM/Centos5) is announcing gssapi and plain for sasl authentication.

ejabberd 2.1.4 does not support GSSAPI. Maybe you are using a custom version that includes that feature.

vasq10 wrote:

GSSAPI/Kerberos is not configured on the server.

But did you enable it in the past? Enable in ejabberd.cfg the options override_*

vasq10 wrote:

(Smack fails if the first mechanism doesn't work :/ )

Oh.

vasq10 wrote:

Can I change the configuration so that ejabberd doesn't advertise GSSAPI?

Try to delete or rename the file cyrsasl_gssapi.beam

»

GSSAPI beam and override

Submitted by vasq10 on Tue, 2011-04-26 06:46.
badlop wrote:

ejabberd 2.1.4 does not support GSSAPI. Maybe you are using a custom version that includes that feature.

Yes, probably a patched version. There is a cyrsasl_gssapi.beam, I did rename it but then ejabberd wouldn't start.

vasq10 wrote:

GSSAPI/Kerberos is not configured on the server.

badlop wrote:

But did you enable it in the past? Enable in ejabberd.cfg the options override_*

No, I didn't enable it. It's not clear to me, what to override and how to do it.

»

Re:

Submitted by mfoss on Tue, 2011-04-26 10:36.
vasq10 wrote:

GSSAPI/Kerberos is not configured on the server.

No, I didn't enable it. It's not clear to me, what to override and how to do it.

Oh, then override_* will not help you on this problem.

Offtopic: you can check in the ejabberd Guide what are the override_* options.

»

vasq10 wrote:Can I change

Submitted by mfoss on Tue, 2011-04-26 10:34.
vasq10 wrote:

Can I change the configuration so that ejabberd doesn't advertise GSSAPI?

With your explanations and what I find in the source code, when GSSAPI support is included into ejabberd, there's no way to stop adverticing it to clients! Even if you remove cyrsasl_gssapi.beam and remove any configuration about gssapi, it is still attempted to load, and adverticed.

The only solution is to modify the source code, and recompile. If you installed ejabberd from a binary package, you will have to do this:
1. Install the erlang compiler (a program called erlc) of the same erlang version you use to run ejabberd (R12, R13, or whatever)
2. Download ejabberd source code
3. In the file src/cyrsasl.erl delete one line:

--- a/src/cyrsasl.erl
+++ b/src/cyrsasl.erl
@@ -51,7 +51,6 @@ start() ->
     ets:new(sasl_mechanism, [named_table,
                             public,
                             {keypos, #sasl_mechanism.mechanism}]),
-    cyrsasl_gssapi:start([]),
     cyrsasl_plain:start([]),
     cyrsasl_digest:start([]),
     cyrsasl_anonymous:start([]),

4. Recompile that file: erlc cyrsasl.erl
5. Copy cyrsasl.beam to your ejabberd installed dir, to overwrite the old file
6. Restart ejabberd. Now GSSAPI isn't announced to clients.

In ejabberd master, and in my updated gssapi-2.1.x branch, GSSAPI support is disabled when not configured.

»
Syndicate content

User login