Pidgin XMPP and Kerberos

Etan Reisner deryni at pidgin.im
Thu Feb 21 21:51:33 EST 2008


On Thu, Feb 21, 2008 at 05:55:23PM -0500, clockwork at sigsys.org wrote:
> Cant say what the expected behavior is regarding the user ID's, but that
> isnt the problem I'm running into. :-)
>
> The trick is AFAIK there is no such thing as a generic ticket in kerberos
> the tickets are always tied to hosts (ie I dont think you can have ticket
> for xmpp/foo.com). So IMHO the connect server should override the Domain in
> this respect.

The this is the domain portion of the JID is a host, and is what pidgin
uses to look up what ip/machine to connect to by default.

If, for whatever reason, that domain name does *not* resolve (via DNS) to
the correct host then DNS SRV records should be set up for pidgin to use
to resolve the correct host.

If the domain is not the correct host *and* DNS SRV records are not
available for the domain then pidgin allows you to manually specify a
connect server to override the DNS lookup on domain.

I am still not at all capable of really asserting what the 'correct'
behaviour here is with respect to the connect server/DNS resolution, but I
*think* using the given domain is in fact correct and that the recently
created XEP-0233 is designed to answer exactly this situation.

I will attempt to bring this up in one of the XMPP chat rooms when I am
next able to spend some time discussing it with the people who might know
better.

    -Etan



More information about the Support mailing list