archiva-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivier Lamy <ol...@apache.org>
Subject Re: UserManager Impl choice via UI and ldap configuration
Date Tue, 11 Dec 2012 19:27:59 GMT
Note: one case doesn't work yet.
The same userid is in both ldap and jdo with different paswords.
If try to log with the wrong password with the first impl, the login
is rejected.
I will try to fix that tomorrow.

2012/12/10 Olivier Lamy <olamy@apache.org>:
> So mostly implemented, you can choose more than one userManager (jdo
> and/or ldap) and specify the order.
> Feel free to try a snapshot build from here:
> https://builds.apache.org/view/A-F/view/Archiva/job/archiva-all-maven-3.x-jdk-1.6/
> I need to add some UI improvements (magnify :-)) and verify various ui
> part (users tables, modifying a user)
> It's possible to configure ldap server too.
>
> @Brett note security.properties is checked first and then imported in
> archiva.xml.
> So must cover your use case :-)
>
>
>
> 2012/12/4 Olivier Lamy <olamy@apache.org>:
>> 2012/12/3 Sascha Vogt <sascha.vogt@gmail.com>:
>>> Am 03.12.2012 17:14, schrieb Olivier Lamy:
>>>>> I have the title a bit more concrete and a more general approach in the
>>>>> description. I think as in the title, having database being the backup
>>>>> of LDAP is a good first step, perfect would be to be able to chain
>>>>> various auth-modules (that way one could also have the database first,
>>>>> and second the LDAP, as a database lookup is much quicker than first
>>>>> waiting for an LDAP fail).
>>>> Some questions:
>>>> * what will be the content of the users screen (merge of n users
>>>> backend ? first id win ?)
>>>> * users backend (as ldap) can be read only so when a user is logged we
>>>> must which system he uses. but users can be in n systems. How do we
>>>> handle that ?
>>>
>>> Well, I think the easiest and most "transparent" way would be to only
>>> show the user from the first found auth-module.
>>>
>>> So if I configure LDAP to be the first, database second, and I have the
>>> same user in both, only the LDAP one is shown... I know this is not
>>> ideal, because if LDAP fails, the user would be looked up from the
>>> database and I wouldn't be able to add "rights" to that user, unless I
>>> first disable LDAP or shuffle the order of the auth-modules, though I
>>> find that tolerable.
>>>
>>> In generally one should keep the user-ids distinct otherwise everyone
>>> gets confused anyway, so I think this is a sensible restriction.
>>>
>>> If you want to be able to edit both accounts, just add that as a
>>> configuration "hiearachy", so first choose the auth-module, then show
>>> the users of that auth-module. If one wants to edit the other, one
>>> navigates up one level and selects the other module. But as I said, I
>>> think the hiding from above is perfectly tolerable. Though the second
>>> options has the advantage that from an admin point of view its always
>>> perfectly clear which user base I'm currently editing.
>>>
>> Sounds good and similar to what I have in mind :-)
>>> By the way, these are just my thoughts, feel free to ignore them ;) I
>> No you are probably using/managing more archiva instances than I do :-)
>>> can even live without the auth-module chaining by now (we finally got a
>>> technical user added to our active directory and even got the damn
>>> password policy disabled for that one *g*)
>>>
>>> Greetings
>>> -Sascha-
>>
>>
>>
>> --
>> Olivier Lamy
>> Talend: http://coders.talend.com
>> http://twitter.com/olamy | http://linkedin.com/in/olamy
>
>
>
> --
> Olivier Lamy
> Talend: http://coders.talend.com
> http://twitter.com/olamy | http://linkedin.com/in/olamy



-- 
Olivier Lamy
Talend: http://coders.talend.com
http://twitter.com/olamy | http://linkedin.com/in/olamy

Mime
View raw message