archiva-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivier Lamy <ol...@apache.org>
Subject Re: UserManager Impl choice via UI and ldap configuration
Date Thu, 13 Dec 2012 09:02:13 GMT
fixed.
You can test builds from here:
https://builds.apache.org/view/A-F/view/Archiva/job/archiva-all-maven-3.x-jdk-1.6/
build >= #1749

I still need some ui magnify to add but it works :-)

2012/12/11 Olivier Lamy <olamy@apache.org>:
> Note: one case doesn't work yet.
> The same userid is in both ldap and jdo with different paswords.
> If try to log with the wrong password with the first impl, the login
> is rejected.
> I will try to fix that tomorrow.
>
> 2012/12/10 Olivier Lamy <olamy@apache.org>:
>> So mostly implemented, you can choose more than one userManager (jdo
>> and/or ldap) and specify the order.
>> Feel free to try a snapshot build from here:
>> https://builds.apache.org/view/A-F/view/Archiva/job/archiva-all-maven-3.x-jdk-1.6/
>> I need to add some UI improvements (magnify :-)) and verify various ui
>> part (users tables, modifying a user)
>> It's possible to configure ldap server too.
>>
>> @Brett note security.properties is checked first and then imported in
>> archiva.xml.
>> So must cover your use case :-)
>>
>>
>>
>> 2012/12/4 Olivier Lamy <olamy@apache.org>:
>>> 2012/12/3 Sascha Vogt <sascha.vogt@gmail.com>:
>>>> Am 03.12.2012 17:14, schrieb Olivier Lamy:
>>>>>> I have the title a bit more concrete and a more general approach
in the
>>>>>> description. I think as in the title, having database being the backup
>>>>>> of LDAP is a good first step, perfect would be to be able to chain
>>>>>> various auth-modules (that way one could also have the database first,
>>>>>> and second the LDAP, as a database lookup is much quicker than first
>>>>>> waiting for an LDAP fail).
>>>>> Some questions:
>>>>> * what will be the content of the users screen (merge of n users
>>>>> backend ? first id win ?)
>>>>> * users backend (as ldap) can be read only so when a user is logged we
>>>>> must which system he uses. but users can be in n systems. How do we
>>>>> handle that ?
>>>>
>>>> Well, I think the easiest and most "transparent" way would be to only
>>>> show the user from the first found auth-module.
>>>>
>>>> So if I configure LDAP to be the first, database second, and I have the
>>>> same user in both, only the LDAP one is shown... I know this is not
>>>> ideal, because if LDAP fails, the user would be looked up from the
>>>> database and I wouldn't be able to add "rights" to that user, unless I
>>>> first disable LDAP or shuffle the order of the auth-modules, though I
>>>> find that tolerable.
>>>>
>>>> In generally one should keep the user-ids distinct otherwise everyone
>>>> gets confused anyway, so I think this is a sensible restriction.
>>>>
>>>> If you want to be able to edit both accounts, just add that as a
>>>> configuration "hiearachy", so first choose the auth-module, then show
>>>> the users of that auth-module. If one wants to edit the other, one
>>>> navigates up one level and selects the other module. But as I said, I
>>>> think the hiding from above is perfectly tolerable. Though the second
>>>> options has the advantage that from an admin point of view its always
>>>> perfectly clear which user base I'm currently editing.
>>>>
>>> Sounds good and similar to what I have in mind :-)
>>>> By the way, these are just my thoughts, feel free to ignore them ;) I
>>> No you are probably using/managing more archiva instances than I do :-)
>>>> can even live without the auth-module chaining by now (we finally got a
>>>> technical user added to our active directory and even got the damn
>>>> password policy disabled for that one *g*)
>>>>
>>>> Greetings
>>>> -Sascha-
>>>
>>>
>>>
>>> --
>>> Olivier Lamy
>>> Talend: http://coders.talend.com
>>> http://twitter.com/olamy | http://linkedin.com/in/olamy
>>
>>
>>
>> --
>> Olivier Lamy
>> Talend: http://coders.talend.com
>> http://twitter.com/olamy | http://linkedin.com/in/olamy
>
>
>
> --
> Olivier Lamy
> Talend: http://coders.talend.com
> http://twitter.com/olamy | http://linkedin.com/in/olamy



-- 
Olivier Lamy
Talend: http://coders.talend.com
http://twitter.com/olamy | http://linkedin.com/in/olamy

Mime
View raw message