[DOCU-469] Changes in ntlm 4.5 and 5 documentation Created: 12/Sep/13  Updated: 07/Oct/14  Resolved: 07/Oct/14

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Milan Divilek Assignee: Antti Hietala
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
is related to MGNLNTLM-5 Migration of NTLM module to 4.5.x and... Closed

 Description   

http://documentation.magnolia-cms.com/display/DOCS45/NTLM+Connector+module need to be improved.

NTLM module which is compatible with 4.5 and 5 is version 1.1. http://documentation.magnolia-cms.com/display/DOCS/NTLM+Connector+module can be same as for 4.5 there are no differences in setup.

Because of conflict with guava library. Waffle needs guava 13.0.1 and it's incompatible with guava 10.0.1 witch is used by Magnolia. It's possible use NTLM module only whe SSO authentication via tomcat is enabled. This limitation should be fixed with Magnolia 5.2 see MAGNOLIA-4847.

Changes in "To configure the module:" section.

1.Stop the application server(s) where you are deploying the module.
2.Copy the provided magnolia-module-ntlm JAR file into WEB-INF/lib directory inside your webapp. Location of this directory depends on the application server.

  • Tomcat: /webapps/magnoliaAuthor/WEB-INF/lib
  • JBoss: /server/default/deploy/magnoliaPublic/WEB-INF/lib

3.Copy provided jaas.policy file into the magnoliaAuthor and magnoliaPublic directories.
4.Enable SSO authentication via Tomcat:

  • Copy provided context.xml into magnoliaAuthor/META-INF and magnoliaPublic/META-INF directories.
  • Copy all JARs in bundle, with exception of the magnolia-module-ntlm JAR and also only appropriate waffle-tomcat* JAR, to CATALINA_HOME/lib.
    Note: If you use tomacat 6 then you need use waffle-tomcat6 JAR, if tomcat 7 then waffle-tomcat7 JAR. If you use different AS please find appropriate JAR at https://oss.sonatype.org/content/repositories/releases/com/github/dblock/waffle/
  • Copy all slf4j and its commons-logging wrapper JARs to CATALINA_HOME/lib.
    Note: These JARs (slf4j-log4j12, slf4j-api and jcl-over-slf4j) will be located in the Tomcat installation directory in Magnolia Enterprise Edition in magnoliaAuthor/WEB-INF and magnoliaPublic/WEB-INF.

5. Set ssoSlave = true in your ad.properties file.
Note: ad.properties is contained within the LDAP connector bundle and is typically in the directory WEB-INF/config/ldap.

6.Append following to jaas.config in magnoliaAuthor/WEB-INF/config and magnoliaPublic/WEB-INF/config:

Jaas {
   waffle.jaas.WindowsLoginModule sufficient;
};

7. Two ways how to avoid behavior when logged user can change his identity to another user without knowing the password

  • Disable Config:/server/filters/login/form (info.magnolia.cms.security.auth.login.FormLogin) handler
  • Split info.magnolia.jaas.sp.jcr.JCRAuthenticationModule and info.magnolia.jaas.sp.ldap.ADAuthenticationModulejaas into different jaas login chain
    Example: Add jaasChain property to Config:/server/filters/login/ntlm/ with value magnolia-ntlm. Then change your jaas.config to:
magnolia {
  info.magnolia.jaas.sp.jcr.JCRAuthenticationModule required;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};

magnolia-ntlm {
  info.magnolia.jaas.sp.ldap.ADAuthenticationModule required realm=external;
  info.magnolia.jaas.sp.jcr.JCRAuthorizationModule required;
};

Jaas {
  waffle.jaas.WindowsLoginModule sufficient;
};

Changes in "How it works" section.

Client callbacks are added for URI and content security filters. ...

It's not true anymore instead of NTLM client callback is added into securityCallback Configuration:/server/filters/securityCallback/clientCallbacks/ntlm



 Comments   
Comment by Roman Kovařík [ 22/Oct/13 ]

Security

To avoid logged in users bypassing password requirement and changing identity:

  1. Disable Config:/server/filters/login/form (info.magnolia.cms.security.auth.login.FormLogin) handler
  2. Split info.magnolia.jaas.sp.jcr.JCRAuthenticationModule and info.magnolia.jaas.sp.ldap.ADAuthenticationModulejaas into separate jaas login chains
  3. For example, add jaasChain property to Config:/server/filters/login/ntlm/ with value magnolia-ntlm. Then change your jaas.config to:

There's extra '3' which could be misleading. Otherwise seems OK.

Comment by Ruth Stocks [ 07/Oct/14 ]

Documented at:

Generated at Mon Feb 12 01:09:23 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.