archiva-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivier Lamy <>
Subject Re: UserManager Impl choice via UI and ldap configuration
Date Thu, 13 Dec 2012 09:02:13 GMT
You can test builds from here:
build >= #1749

I still need some ui magnify to add but it works :-)

2012/12/11 Olivier Lamy <>:
> Note: one case doesn't work yet.
> The same userid is in both ldap and jdo with different paswords.
> If try to log with the wrong password with the first impl, the login
> is rejected.
> I will try to fix that tomorrow.
> 2012/12/10 Olivier Lamy <>:
>> So mostly implemented, you can choose more than one userManager (jdo
>> and/or ldap) and specify the order.
>> Feel free to try a snapshot build from here:
>> I need to add some UI improvements (magnify :-)) and verify various ui
>> part (users tables, modifying a user)
>> It's possible to configure ldap server too.
>> @Brett note is checked first and then imported in
>> archiva.xml.
>> So must cover your use case :-)
>> 2012/12/4 Olivier Lamy <>:
>>> 2012/12/3 Sascha Vogt <>:
>>>> Am 03.12.2012 17:14, schrieb Olivier Lamy:
>>>>>> I have the title a bit more concrete and a more general approach
in the
>>>>>> description. I think as in the title, having database being the backup
>>>>>> of LDAP is a good first step, perfect would be to be able to chain
>>>>>> various auth-modules (that way one could also have the database first,
>>>>>> and second the LDAP, as a database lookup is much quicker than first
>>>>>> waiting for an LDAP fail).
>>>>> Some questions:
>>>>> * what will be the content of the users screen (merge of n users
>>>>> backend ? first id win ?)
>>>>> * users backend (as ldap) can be read only so when a user is logged we
>>>>> must which system he uses. but users can be in n systems. How do we
>>>>> handle that ?
>>>> Well, I think the easiest and most "transparent" way would be to only
>>>> show the user from the first found auth-module.
>>>> So if I configure LDAP to be the first, database second, and I have the
>>>> same user in both, only the LDAP one is shown... I know this is not
>>>> ideal, because if LDAP fails, the user would be looked up from the
>>>> database and I wouldn't be able to add "rights" to that user, unless I
>>>> first disable LDAP or shuffle the order of the auth-modules, though I
>>>> find that tolerable.
>>>> In generally one should keep the user-ids distinct otherwise everyone
>>>> gets confused anyway, so I think this is a sensible restriction.
>>>> If you want to be able to edit both accounts, just add that as a
>>>> configuration "hiearachy", so first choose the auth-module, then show
>>>> the users of that auth-module. If one wants to edit the other, one
>>>> navigates up one level and selects the other module. But as I said, I
>>>> think the hiding from above is perfectly tolerable. Though the second
>>>> options has the advantage that from an admin point of view its always
>>>> perfectly clear which user base I'm currently editing.
>>> Sounds good and similar to what I have in mind :-)
>>>> By the way, these are just my thoughts, feel free to ignore them ;) I
>>> No you are probably using/managing more archiva instances than I do :-)
>>>> can even live without the auth-module chaining by now (we finally got a
>>>> technical user added to our active directory and even got the damn
>>>> password policy disabled for that one *g*)
>>>> Greetings
>>>> -Sascha-
>>> --
>>> Olivier Lamy
>>> Talend:
>>> |
>> --
>> Olivier Lamy
>> Talend:
>> |
> --
> Olivier Lamy
> Talend:
> |

Olivier Lamy
Talend: |

View raw message