Mac OS X Server v10.6: Configuring iChat Server user attributes when used in a disjointed namespace

In order for Kerberos authentication to work for iChat Server in a disjoint Kerberos namespace, two LDAP attributes need to be added/modified for users using Kerberos authentication from another realm.

This article has been archived and is no longer updated by Apple.

To allow a user to authenticate via Kerberos to the iChat server in a disjointed namespace, use Workgroup Manager's Inspector in Open Directory (or ADSI Edit in Active Directory) to add the following attributes:

  • Add an LDAP "AltSecurityIdentities" attribute for "testuser" with the value "Kerberos:testuser@EXAMPLE.COM".  
  • Add an LDAP "IMHandle" attribute for "testuser" with the value "".

These steps are necessary to properly authorize the user via Kerberos, because iChat Server is only handed an XMPP service principal and no other identifying information.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.
Published Date: