Introduction / FirstSpirit Server configuration / Configuration files (FirstSpirit Server) / Login process (fs-jaas.conf) / Configuration examples
Configuration examples
Default configuration:
In connection with the default configuration of file fs-jaas.conf the following login method results for the SiteArchitect:
- The user is prompted to enter user name and password when calling the FirstSpirit start page via the web browser. This data refers to the entries in the FirstSpirit user database managed via the ServerManager. After successful authentication the ticket is generated and transferred by the web browser at a later date.
- When starting the SiteArchitect, the web browser transfers the previously created ticket via the SiteArchitect to the FirstSpirit Server for checks. Further password entry is not required.
- If the ticket has expired or could not be transferred to the FirstSpirit Server, the SiteArchitect alternatively prompts the user to enter the password.
Login at a Windows domain with use of LDAP:
/* access api authentication (e.g., for remote projects) */
system {
de.espirit.firstspirit.server.authentication.FSUserLoginModule sufficient hash="true";
de.espirit.firstspirit.server.authentication.FSTicketLoginModule sufficient;
};
/* java-/admin-client authentication without sso */
plain {
de.espirit.firstspirit.server.authentication.LdapLoginModule optional section="LDAP";
de.espirit.firstspirit.server.authentication.FSUserLoginModule optional;
};
/* java-/admin-client authentication sso */
sso {
de.espirit.firstspirit.server.authentication.FSTicketLoginModule sufficient;
de.espirit.firstspirit.server.authentication.LdapLoginModule optional section="LDAP";
de.espirit.firstspirit.server.authentication.FSUserLoginModule optional;
};
/* web authentication (for preview, webedit, webmonitor) without sso */
webplain {
de.espirit.firstspirit.server.authentication.LdapLoginModule optional section="LDAP";
de.espirit.firstspirit.server.authentication.FSUserLoginModule optional;
};
/* web authentication (for preview, webedit, webmonitor) with sso */
websso {
de.espirit.firstspirit.server.authentication.FSTicketLoginModule sufficient;
//de.espirit.firstspirit.server.authentication.KerberosLoginModule optional
useFullPrincipal="false" userAgents=".*";
de.espirit.firstspirit.server.authentication.NTLMLoginModule optional
domains="E-SPIRIT:dc1.e-spirit.de,dc2.e-spirit.de;:dc1.e-spirit.de,dc2.e-spirit.de";
de.espirit.firstspirit.server.authentication.LdapLoginModule optional section="LDAP";
de.espirit.firstspirit.server.authentication.FSUserLoginModule optional;
};
//enable for KerberosLoginModule only:
//com.sun.security.jgss.accept {
// com.sun.security.auth.module.Krb5LoginModule required
// principal="HTTP/fs5.e-spirit.de@E-SPIRIT.DE"
// keyTab="/opt/firstspirit5/conf/krb5-fs5-HTTP.keytab"
// useKeyTab="true"
// storeKey="true"
// isInitiator="false"
// doNotPrompt="true"
// debug="true";
};
Extract from the file /opt/firstspirit5/conf/fs-server.conf:
LDAP.NAME=e-spirit.de
LDAP.HOST_URL=ldap://dc1.e-spirit.de ldap://dc2.e-spirit.de
LDAP.SSL=FALSE
LDAP.AUTHENTICATION=SEARCH_BIND
LDAP.SEARCH.BIND_DN=ldaptechuser
LDAP.SEARCH.BIND_PASSWORD=apassword
LDAP.SEARCH.BASE_DN=DC=e-spirit,DC=de
LDAP.SEARCH.FILTER=(sAMAccountName=$USER_LOGIN$)
LDAP.IMPORT_USER=TRUE
LDAP.IMPORT_USER.GROUP_ATTRIBUTE=memberof
LDAP.IMPORT_USER.LOGIN_ATTRIBUTE=sAMAccountName
LDAP.IMPORT_USER.NAME_ATTRIBUTE=givenName,sn
LDAP.IMPORT_USER.EMAIL_ATTRIBUTE=mail
LDAP.IMPORT_USER.PHONE_ATTRIBUTE=telephoneNumber
LDAP.IMPORT_USER.ABBREVIATION_ATTRIBUTE=initials