archiva-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brent Atkinson <batkin...@apache.org>
Subject Re: authentication against LDAP
Date Tue, 15 Feb 2011 19:48:32 GMT
Responses in-line.

On Tue, Feb 15, 2011 at 2:28 PM, Qian, Yi <yqian@ku.edu> wrote:

> Hello, Brent
>
> 1. I will try the patch
> 2. I am not going to mess with the LDAP entries, my intention is to query
> the isMemberOf attribute, so the redback authentication can redirect user
> based on query result.
>

Depending on how much control you want over the permissions granted to
archiva users with the LDAP groups, this could obviate the need for a
moderately complex mapping tool so you can say LDAP group X grants
permissions A, B and C. Redback assumes management of permissions at the
application level, not the directory level. Trying to invert that may be
more tricky than you might expect. Are you trying to actually manage
permissions in Archiva using LDAP membership, or are you just looking to
limit the users allowed to access archiva? You may be able to do the latter
with configuration.


> 3. Following is my settings.xml in ~/.m2/ folder, which has my login
> credential in it, my question is I would like to avoid put even encrypted
> credential in a file, there is a way to force user login when using
> archiva, but also keep the login alive for some time period?
>
> <settings>
>        <mirrors>
>        <mirror>
>                <id>internal</id>
>             <name>Team maven repository</name>
>                <url>http://host:8080/archiva/repository/internal/</url>
>                <mirrorOf>*</mirrorOf>
>        </mirror>
>        </mirrors>
>
>
>        <servers>
>        <server>
>                <id>internal</id>
>                <username>name</username>
>                <password>password</password>
>        </server>
>        <server>
>                <id>release</id>
>                <username>name</username>
>                <password>password</password>
>        </server>
>        <server>
>                <id>snapshots</id>
>                <username>name</username>
>                <password>password</password>
>        </server>
>        </servers>
> </settings>
>
>
> Regards,
>
> Yi
>
> On 2/15/11 11:07 AM, "Brent Atkinson" <batkinson@apache.org> wrote:
>
> >Comments are in-line.
> >
> >On Tue, Feb 15, 2011 at 11:03 AM, Qian, Yi <yqian@ku.edu> wrote:
> >
> >> Hello, Brett and Brent
> >>
> >> Thanks for your reply. I deployed archiva as stand-alone with jetty
> >> bundle. I do not have admin user configured in LDAP. So I changed
> >> redback.default.admin to my ID and it works.
> >
> >
> >
> >> I still have some questions about the authentication
> >> 1. Do I have to set up redback.default.admin property? Seems to me the
> >> answer is yes because even after I commented out this property in
> >> security.properties file, archiva still redirected me to addadmin page.
> >> But If this is true, we have to create an admin account in LDAP only for
> >> archiva.
> >>
> >
> >An admin user is required to exist in whatever authentication source
> >you've
> >configured. If there isn't such a user, archiva will ask you to create
> >one.
> >Setting it to your account satisfies this admin user check. I developed a
> >patch for redback that allows you to create hardwired utility accounts
> >when
> >you can't or don't want to pollute the LDAP tree. It hasn't been
> >integrated
> >yet, mostly because I wanted to get feedback on it and because it affects
> >both archiva and continuum configurations. The issue is REDBACK-266 if
> >you're interested in trying it out. Any feedback you can give will be
> >appreciated. Just comment on the issue.
> >
> >
> >> 2. In our LDAP, user entry has multi-valued attributes isMemberOf, can
> >>we
> >> set up redback to check this attribute, so if user is not belong to
> >> certain group, archiva will redirect the user to unauthorized page. If
> >> this feature does not exist yet, please point me the direction and I am
> >> willing to do the customized code change.
> >>
> >
> >AFAIK, redback doesn't use membership attributes in LDAP for
> >authorization.
> >One reason is that there are multiple ways that membership is handled in
> >various LDAP implementations/schemas. Due to the complexity of trying to
> >safely manage LDAP directories, redback doesn't manipulate the directory.
> >It
> >only reads from them. This allows users to authenticate with consistent
> >logins, and management of permissions happens at the application level
> >(not
> >the directory level).
> >
> >
> >> 3. There is settings.xml file in my local ~/.m2/ folder, this
> >>settings.xml
> >> include my login credential, can we skip the credential and force user
> >>to
> >> login when he trying to use archiva and keep a session so he can use the
> >> archiva without login again if the session is alive?
> >>
> >> And again, if any above feature does not exist, I am willing to add it.
> >>
> >
> >Not sure what you're asking about here. The settings.xml file is primarily
> >used by maven plugins to authenticate. Are you suggesting that the http
> >session be shared across your maven builds and your web browser?
> >
> >
> >> Regards,
> >>
> >> Yi
> >>
> >>
> >> On 2/14/11 11:34 PM, "Brett Porter" <brett@apache.org> wrote:
> >>
> >> >Did you go ahead with that screen and then check what "User Management"
> >> >showed for available users?
> >> >
> >> >Did you configure a linked admin account in LDAP in
> >>security.properties?
> >> >
> >> >- Brett
> >> >
> >> >On 15/02/2011, at 10:10 AM, Qian, Yi wrote:
> >> >
> >> >> Hello, experts
> >> >>
> >> >> I am trying to set up archiva 1.3.3 to authenticate against LDAP
> >> >>server. I
> >> >> followed the instrution of LDAP Integration on Redback website.
> >> >> Uncommented components element of  LDAP connection factory and user
> >> >>mapper
> >> >> in application.xml located in /WEB-INF/classes/META-INF/plexus. Added
> >> >> connection information and attributes mapping in security.properties
> >> >> located in /WEB-INF/classes/org/apache/maven/archiva. I started
> >>archiva,
> >> >> accessing http://localhost:8080/archiva brings me to
> >> >> security/addadmin.action page. Could you tell me what I missed?
> >> >>
> >> >> Thanks,
> >> >>
> >> >> Yi
> >> >>
> >> >
> >> >--
> >> >Brett Porter
> >> >brett@apache.org
> >> >http://brettporter.wordpress.com/
> >> >http://au.linkedin.com/in/brettporter
> >> >
> >> >
> >> >
> >> >
> >>
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message