Mac OS X Server v10.6: Configuring iChat Server user attributes when used in a disjointed namespace

In order for Kerberos authentication to work for iChat Server in a disjoint Kerberos namespace, two LDAP attributes need to be added/modified for users using Kerberos authentication from another realm.

This article has been archived and is no longer updated by Apple.

To allow a user to authenticate via Kerberos to the iChat server in a disjointed namespace, use Workgroup Manager's Inspector in Open Directory (or ADSI Edit in Active Directory) to add the following attributes:

  • Add an LDAP "AltSecurityIdentities" attribute for "testuser" with the value "Kerberos:testuser@EXAMPLE.COM".  
  • Add an LDAP "IMHandle" attribute for "testuser" with the value "JABBER:testuser@ichat.example.com".

These steps are necessary to properly authorize the user via Kerberos, because iChat Server is only handed an XMPP service principal and no other identifying information.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.
Published Date: