![]() |
|
|
|
|
Change By:
|
Milan Divilek
(12/Sep/13 4:57 PM)
|
|
Description:
|
http://documentation.magnolia-cms.com/display/DOCS45/NTLM+Connector+module need to be improved.
NTLM module which is compatible with 4.5 and 5 is version 1.1.
http://documentation.magnolia-cms.com/display/DOCS/NTLM+Connector+module can be same as for 4.5 there are no differences in setup.
Changes in "To configure the module:" section.
1.Stop the application server(s) where you are deploying the module.
2.Copy the provided {{magnolia-module-ntlm}} JAR file into {{WEB-INF/lib}} directory inside your webapp. Location of this directory depends on the application server.
- Tomcat: /webapps/magnoliaAuthor/WEB-INF/lib
- JBoss: /server/default/deploy/magnoliaPublic/WEB-INF/lib
3.Copy provided {{jaas.policy}} file into the magnoliaAuthor and magnoliaPublic directories.
4.Enable SSO authentication via Tomcat:
- Copy provided {{context.xml}} into {{magnoliaAuthor/META-INF}} and {{magnoliaPublic/META-INF}} directories.
- Copy all JARs in bundle, with exception of the {{magnolia-module-ntlm}} JAR and also only appropriate {{waffle-tomcat*}} JAR, to CATALINA_HOME/lib.
Note: If you use tomacat 6 then you need use {{waffle-tomcat6}} JAR, if tomcat 7 then {{waffle-tomcat7}} JAR. If you use different AS please find appropriate JAR at https://oss.sonatype.org/content/repositories/releases/com/github/dblock/waffle/
- Copy all slf4j and its commons-logging wrapper JARs to CATALINA_HOME/lib.
Note: These JARs ({{slf4j-log4j12}}, {{slf4j-api}} and {{jcl-over-slf4j}}) will be located in the Tomcat installation directory in Magnolia Enterprise Edition in magnoliaAuthor/WEB-INF and magnoliaPublic/WEB-INF.
5. Set ssoSlave = true in your ad.properties file.
Note: ad.properties is contained within the LDAP connector bundle and is typically in the directory WEB-INF/config/ldap.
6.Append following to jaas.config in magnoliaAuthor/WEB-INF/config and magnoliaPublic/WEB-INF/config:
{code}
Jaas {
waffle.jaas.WindowsLoginModule sufficient;
};
{code}
7. Two ways how to avoid behavior when logged user can change his identity to another user without knowing the password
- Disable {{Config:/server/filters/login/form}} (info.magnolia.cms.security.auth.login.FormLogin) handler
- Split {{info.magnolia.jaas.sp.jcr.JCRAuthenticationModule}} and {{info.magnolia.jaas.sp.ldap.ADAuthenticationModulejaas}} into different jaas login chain
Example: Add {{jaasChain}} property to {{Config:/server/filters/login/ntlm/}} with value {{magnolia-ntlm}}. Then change your jaas.config to:
{code}
magnolia {
info.magnolia.jaas.sp.jcr.JCRAuthenticationModule required;
info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};
magnolia-ntlm {
info.magnolia.jaas.sp.ldap.ADAuthenticationModule required realm=external;
info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};
Jaas {
waffle.jaas.WindowsLoginModule sufficient;
};
{code}
Changes in ["How it works"|http://documentation.magnolia-cms.com/display/DOCS45/NTLM+Connector+module#NTLMConnectormodule-Howitworks] section.
bq. Client callbacks are added for URI and content security filters. ...
It's not true anymore instead of NTLM client callback is added into securityCallback Configuration:/server/filters/securityCallback/clientCallbacks/ntlm
|
|
|
|
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <dev-list-unsubscr...@magnolia-cms.com>
----------------------------------------------------------------
