archiva-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sascha Vogt <>
Subject Re: UserManager Impl choice via UI and ldap configuration
Date Mon, 03 Dec 2012 17:23:02 GMT
Am 03.12.2012 17:14, schrieb Olivier Lamy:
>> I have the title a bit more concrete and a more general approach in the
>> description. I think as in the title, having database being the backup
>> of LDAP is a good first step, perfect would be to be able to chain
>> various auth-modules (that way one could also have the database first,
>> and second the LDAP, as a database lookup is much quicker than first
>> waiting for an LDAP fail).
> Some questions:
> * what will be the content of the users screen (merge of n users
> backend ? first id win ?)
> * users backend (as ldap) can be read only so when a user is logged we
> must which system he uses. but users can be in n systems. How do we
> handle that ?

Well, I think the easiest and most "transparent" way would be to only
show the user from the first found auth-module.

So if I configure LDAP to be the first, database second, and I have the
same user in both, only the LDAP one is shown... I know this is not
ideal, because if LDAP fails, the user would be looked up from the
database and I wouldn't be able to add "rights" to that user, unless I
first disable LDAP or shuffle the order of the auth-modules, though I
find that tolerable.

In generally one should keep the user-ids distinct otherwise everyone
gets confused anyway, so I think this is a sensible restriction.

If you want to be able to edit both accounts, just add that as a
configuration "hiearachy", so first choose the auth-module, then show
the users of that auth-module. If one wants to edit the other, one
navigates up one level and selects the other module. But as I said, I
think the hiding from above is perfectly tolerable. Though the second
options has the advantage that from an admin point of view its always
perfectly clear which user base I'm currently editing.

By the way, these are just my thoughts, feel free to ignore them ;) I
can even live without the auth-module chaining by now (we finally got a
technical user added to our active directory and even got the damn
password policy disabled for that one *g*)


View raw message