Summary

• Page properties (2 modified, 0 added, 0 removed)

Details

Page properties

Author

...	...	@@ -1,1 +1,1 @@
1		-XWiki.gru
	1	+XWiki.mko

Content

...	...	@@ -1,22 +3,20 @@
1		-Da Kerberos und NTLM jetzt im Einmalanmeldemenü zusammen sind, muss diese Seite in deutsch und englisch neu erstellt werden. Der Inhalt der beiden alten Seiten befindet sich erstmal noch hier:
2		-
3	3	{{content/}}
4	4
5		-{{figure image="FCSnapshot27.png"}}
6		-User interface for setting up LDAP authentication via NTLM
	3	+{{figure image="single_sign_on_ntlm_en.png" width="600"}}
	4	+User interface for setting up {{smallcaps}}Ldap{{/smallcaps}} authentication via {{smallcaps}}Ntlm{{/smallcaps}}. Available only if the license allows it.
7	7	{{/figure}}
8	8
9		-NTLM (NT LAN Manager) can be used to authenticate users of a form.
	7	+{{smallcaps}}Ntlm{{/smallcaps}} (NT LAN Manager) can be used to authenticate users of a form.
10	10
11		-A common use case are forms used internally by some company, and that may be accessed only by the employees of that company. The user data of the active directory can be accessed via NTLM.
	9	+A common use case are forms used internally by some company, and that may be accessed only by the employees of that company. The user data of the active directory can be accessed via {{smallcaps}}Ntlm{{/smallcaps}}.
12	12
13	13	{{info}}
14		-NTLM may not be available depending on your license.
	12	+{{smallcaps}}Ntlm{{/smallcaps}} may not be available depending on your license.
15	15	{{/info}}
16	16
17	17	== Using NTLM ==
18	18
19		-Activate this option to use NTLM.
	17	+Activate this option to use {{smallcaps}}Ntlm{{/smallcaps}}.
20	20
21	21	=== Synchronize with {{fserver/}} ===
22	22
...	...	@@ -24,23 +24,23 @@
24	24
25	25	=== Domain controller host ===
26	26
27		-The host (FQN) of the active directory controller used for authenticating users via NTLM and transmitting their data over LDAP.
	25	+The host (FQN) of the active directory controller used for authenticating users via {{smallcaps}}Ntlm{{/smallcaps}} and transmitting their data over {{smallcaps}}Ldap{{/smallcaps}}.
28	28
29		-{{code}}
	27	+{{code language="none"}}
30	30	Example: domain.example.com
31	31	{{/code}}
32	32
33		-Connection to the LDAP server for the LDAP search account has been established successfully
	31	+Connection to the {{smallcaps}}Ldap{{/smallcaps}} server for the {{smallcaps}}Ldap{{/smallcaps}} search account has been established successfully
34	34
35	35	== NTLM authentication ==
36	36
37		-The following settings are required for enabling users to authenticate via NTLM.
	35	+The following settings are required for enabling users to authenticate via {{smallcaps}}Ntlm{{/smallcaps}}.
38	38
39	39	=== Host name of the domain controller host ===
40	40
41	41	The host name of the active directory controller.
42	42
43		-{{code}}
	41	+{{code language="none"}}
44	44	Example: domain
45	45	{{/code}}
46	46
...	...	@@ -48,7 +48,7 @@
48	48
49	49	Different forms of the domain name can be used depending on the active directory.
50	50
51		-{{code}}
	49	+{{code language="none"}}
52	52	Example: example.de oder example0
53	53	{{/code}}
54	54
...	...	@@ -68,7 +68,7 @@
68	68	A computer account is recognizable by the '$' character in the domain name. e.g. example$@domain.de
69	69	{{/info}}
70	70
71		-[[Help pages of //ca technologies// on creating a computer account for NTLM authentication on active directory server.>>url:https://wiki.ca.com/display/GATEWAY83/Creating+a+Computer+Account+for+NTLM+Authentication||rel="__blank" title="Creating a Computer Account for NTLM Authentication"]]
	69	+Help pages of ca technologies on [[creating a computer account for NTLM authentication on active directory server.>>https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-3/policy-assertions/assertion-palette/access-control-assertions/require-ntlm-authentication-credentials-assertion/creating-a-computer-account-for-ntlm-authentication.html||rel="__blank" title="Creating a Computer Account for NTLM Authentication"]]
72	72
73	73	=== computer account password ===
74	74
...	...	@@ -76,15 +76,15 @@
76	76
77	77	== LDAP user lookup ==
78	78
79		-The following settings concern the user lookup after a successful NTLM authenication.
	77	+The following settings concern the user lookup after a successful {{smallcaps}}Ntlm{{/smallcaps}} authenication.
80	80
81	81	=== Port ===
82	82
83		-The port for connecting to the LDAP server for the user lookup.
	81	+The port for connecting to the {{smallcaps}}Ldap{{/smallcaps}} server for the user lookup.
84	84
85	85	=== SSL encryption ===
86	86
87		-Enables SSL encryption when communicating the the LDAP server.
	85	+Enables SSL encryption when communicating the the {{smallcaps}}Ldap{{/smallcaps}} server.
88	88
89	89	=== Hop count ===
90	90
...	...	@@ -94,7 +94,7 @@
94	94
95	95	Account to be used for looking up users. It must have been granted permission to perform user lookup.
96	96
97		-{{code}}
	95	+{{code language="none"}}
98	98	Example: ldap@example.de
99	99	{{/code}}
100	100
...	...	@@ -104,9 +104,9 @@
104	104
105	105	=== Base DN für user lookup ===
106	106
107		-LDAP base DN used for looking up authenticated users.
	105	+{{smallcaps}}Ldap{{/smallcaps}} base DN used for looking up authenticated users.
108	108
109		-{{code}}
	107	+{{code language="none"}}
110	110	Example: ou="users", dc="example", dc="de"
111	111	{{/code}}
112	112
...	...	@@ -114,7 +114,7 @@
114	114
115	115	== Settings for Kerberos authentication ==
116	116
117		-{{figure image="kerberos"}}
	115	+{{figure image="single_sign_on_kerberos_en.png" width="600"}}
118	118	User interface for editing the settings for Kerberos authentication. Available only when the license includes this option.
119	119	{{/figure}}
120	120
...	...	@@ -128,7 +128,7 @@
128	128
129	129	=== Synchronize with frontend server ===
130	130
131		-When activated, all changes to the configuration will be sent to all available {{fserver number="plural"/}}.
	129	+When activated, all changes to the configuration will be sent to all available frontend servers.
132	132
133	133	=== Username ===
134	134
...	...	@@ -137,10 +137,15 @@
137	137	Normally this is the user account of the active directory that is setup as a service account.
138	138
139	139	{{info}}
140		-When no //default_realm// has been specified in the section //[libdefaults]// of the file //krb5.conf//, you will need to enter the username with a domain (FQDN).
	138	+When no //default_realm// has been specified in the section //[libdefaults]// of the file //krb5.conf//, you will need to enter the username with a domain (FQDN).
141	141	Example: user@EXCAMPLE.COM
142	142	{{/info}}
143	143
	142	+{{info}}
	143	+To this user you must, in Active Directory for example, register the Domians to be used as ServiePrincipalName beginning with the service class HTTP. You can find more information [[here>>https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx||target="_blank"]] or [[here>>https://docs.microsoft.com/en-us/windows-server/networking/sdn/security/kerberos-with-spn||target="_blank"]].
	144	+{{/info}}
	145	+
	146	+(% class="wikigeneratedid" %)
144	144	=== Password ===
145	145
146	146	Password of the service account.
...	...	@@ -233,25 +233,25 @@
233	233
234	234	=== Client module name ===
235	235
236		-The name in the //login.conf// file for the client to be used, eg. {{code}}spnego-client{{/code}}.
	239	+The name in the //login.conf// file for the client to be used, eg. {{code language="none"}}spnego-client{{/code}}.
237	237
238	238	=== Server module name ===
239	239
240		-The name in the //login.conf// file for the server to be used, eg. {{code}}spnego-server{{/code}}.
	243	+The name in the //login.conf// file for the server to be used, eg. {{code language="none"}}spnego-server{{/code}}.
241	241
242	242	{{error}}
243		-When you keep getting a HTTP 400 error with Kerberos activated, the most likely cause is that the HTTP header size of the Kerberos ticket exceeds the default header size limit of the application server, eg. Tomcat of JBoss. See the help pages on [[changing the HTTP header size limit>>doc:Main.Beschraenkung der HTTP-Header-Groesse aendern]].
	246	+When you keep getting a HTTP 400 error with Kerberos activated, the most likely cause is that the HTTP header size of the Kerberos ticket exceeds the default header size limit of the application server, eg. Tomcat of JBoss. See the help pages on [[changing the HTTP header size limit>>doc:Formcycle.SystemSettings.TomcatSettings.LimitHTTPHeader]].
244	244	{{/error}}
245	245
246	246	== LDAP user search ==
247	247
248		-The following settings are required to retrieve information about the authenticated user from an LDAP (MS active directory). This data is then available in the form and can be accessed by JavaScript code.
	251	+The following settings are required to retrieve information about the authenticated user from an {{smallcaps}}Ldap{{/smallcaps}} (MS active directory). This data is then available in the form and can be accessed by JavaScript code.
249	249
250	250	=== Domain controller host ===
251	251
252	252	FQN (fully qualified name) and port of the active directory controller.
253	253
254		-Example: {{code}}domain.example.com Port: 389{{/code}}
	257	+Example: {{code language="none"}}domain.example.com Port: 389{{/code}}
255	255
256	256	=== SSL connection ===
257	257
...	...	@@ -259,7 +259,7 @@
259	259
260	260	=== Referral hops ===
261	261
262		-The maximum number of referral hops that may be performed on the LDAP server. Setting this to {{code}}0{{/code}} deactivates referral hops and no references will be followed.
	265	+The maximum number of referral hops that may be performed on the LDAP server. Setting this to {{code language="none"}}0{{/code}} deactivates referral hops and no references will be followed.
263	263
264	264	=== User account (with domain) ===
265	265
...	...	@@ -267,7 +267,7 @@
267	267
268	268	{{info}}
269	269	This needs to be a username suffixed with the domain.
270		-Example: {{code}}user@EXCAMPLE.COM{{/code}}
	273	+Example: {{code language="none"}}user@EXCAMPLE.COM{{/code}}
271	271	{{/info}}
272	272
273	273	=== User account password ===
...	...	@@ -278,28 +278,25 @@
278	278
279	279	The LDAP baseDN used for looking up the authenticated user.
280	280
281		-Example: {{code}}ou="intern", dc="example", dc="com"{{/code}}
	284	+Example: {{code language="none"}}ou="intern", dc="example", dc="com"{{/code}}
282	282
283	283	== Make user data available to forms ==
284	284
285		-The LDAP user data for the currently authenticated user are stored in the JavaScript object {{code}}window.XFC_METADATA.currentUser.ldap{{/code}} and can be accessed via JavaScript.
	288	+The LDAP user data for the currently authenticated user are stored in the JavaScript object {{code language="none"}}window.XFC_METADATA.user.rawData{{/code}} and can be accessed via JavaScript.
286	286
287	287	{{info}}
288		-The user data that will be retrieved for the current user depends on the (read) permissions of the user account used for the LDAP user lookup.
	291	+Which data the JSON structure contains under the rawData property depends mainly on the read rights of the LDAP account, which executes the user search in the LDAP system.
289	289	{{/info}}
290	290
291		-{{panel title="Example"}}
	294	+To access the property ~/~/userPrincipalName~/~/ of the user from JavaScript, use the following code:
292	292
293		-To access the property //userPrincipalName// of the user from JavaScript, use the following code:
294		-
295		-{{code language="javascript" title=""}}
	296	+{{code language="javascript"}}
296	296	try {
297	297	// Auslesen der Property und Anzeige in einem Label
298	298	var elem = $('[name=txt1]');
299		- var ldap = XFC_METADATA.currentUser.ldap;
	300	+ var ldap = XFC_METADATA.user.rawData;
300	300	if(ldap.hasOwnProperty('userPrincipalName')) {
301		- elem.append(ldap.userPrincipalName);
	302	+ elem.html(ldap.userPrincipalName);
302	302	}
303	303	} catch (err) {}
304	304	{{/code}}
305		-{{/panel}}