archiva-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brent Atkinson <batkin...@apache.org>
Subject Re: authentication against LDAP
Date Tue, 15 Feb 2011 21:02:37 GMT
I believe the ldap configuration allows for a configurable user filter. You
may be able to filter based on membership to a particular group.

Check out the user-filter attribute at
http://redback.codehaus.org/integration/ldap.html

Brent

On Tue, Feb 15, 2011 at 3:16 PM, Qian, Yi <yqian@ku.edu> wrote:

> Hello, Brent
>
> For question 2, I just need to limit the access. There is no necessary to
> set different level of permission since archiva is used only by our team
> and it only contains the artifacts. It is good to hear that this can be
> archived by configuration. Could you please refer me to some resources on
> how to set up access limits?
>
> Regards,
>
> Yi
>
> On 2/15/11 1:48 PM, "Brent Atkinson" <batkinson@apache.org> wrote:
>
> >Responses in-line.
> >
> >On Tue, Feb 15, 2011 at 2:28 PM, Qian, Yi <yqian@ku.edu> wrote:
> >
> >> Hello, Brent
> >>
> >> 1. I will try the patch
> >> 2. I am not going to mess with the LDAP entries, my intention is to
> >>query
> >> the isMemberOf attribute, so the redback authentication can redirect
> >>user
> >> based on query result.
> >>
> >
> >Depending on how much control you want over the permissions granted to
> >archiva users with the LDAP groups, this could obviate the need for a
> >moderately complex mapping tool so you can say LDAP group X grants
> >permissions A, B and C. Redback assumes management of permissions at the
> >application level, not the directory level. Trying to invert that may be
> >more tricky than you might expect. Are you trying to actually manage
> >permissions in Archiva using LDAP membership, or are you just looking to
> >limit the users allowed to access archiva? You may be able to do the
> >latter
> >with configuration.
> >
> >
> >> 3. Following is my settings.xml in ~/.m2/ folder, which has my login
> >> credential in it, my question is I would like to avoid put even
> >>encrypted
> >> credential in a file, there is a way to force user login when using
> >> archiva, but also keep the login alive for some time period?
> >>
> >> <settings>
> >>        <mirrors>
> >>        <mirror>
> >>                <id>internal</id>
> >>             <name>Team maven repository</name>
> >>                <url>http://host:8080/archiva/repository/internal/</url>
> >>                <mirrorOf>*</mirrorOf>
> >>        </mirror>
> >>        </mirrors>
> >>
> >>
> >>        <servers>
> >>        <server>
> >>                <id>internal</id>
> >>                <username>name</username>
> >>                <password>password</password>
> >>        </server>
> >>        <server>
> >>                <id>release</id>
> >>                <username>name</username>
> >>                <password>password</password>
> >>        </server>
> >>        <server>
> >>                <id>snapshots</id>
> >>                <username>name</username>
> >>                <password>password</password>
> >>        </server>
> >>        </servers>
> >> </settings>
> >>
> >>
> >> Regards,
> >>
> >> Yi
> >>
> >> On 2/15/11 11:07 AM, "Brent Atkinson" <batkinson@apache.org> wrote:
> >>
> >> >Comments are in-line.
> >> >
> >> >On Tue, Feb 15, 2011 at 11:03 AM, Qian, Yi <yqian@ku.edu> wrote:
> >> >
> >> >> Hello, Brett and Brent
> >> >>
> >> >> Thanks for your reply. I deployed archiva as stand-alone with jetty
> >> >> bundle. I do not have admin user configured in LDAP. So I changed
> >> >> redback.default.admin to my ID and it works.
> >> >
> >> >
> >> >
> >> >> I still have some questions about the authentication
> >> >> 1. Do I have to set up redback.default.admin property? Seems to me
> >>the
> >> >> answer is yes because even after I commented out this property in
> >> >> security.properties file, archiva still redirected me to addadmin
> >>page.
> >> >> But If this is true, we have to create an admin account in LDAP only
> >>for
> >> >> archiva.
> >> >>
> >> >
> >> >An admin user is required to exist in whatever authentication source
> >> >you've
> >> >configured. If there isn't such a user, archiva will ask you to create
> >> >one.
> >> >Setting it to your account satisfies this admin user check. I
> >>developed a
> >> >patch for redback that allows you to create hardwired utility accounts
> >> >when
> >> >you can't or don't want to pollute the LDAP tree. It hasn't been
> >> >integrated
> >> >yet, mostly because I wanted to get feedback on it and because it
> >>affects
> >> >both archiva and continuum configurations. The issue is REDBACK-266 if
> >> >you're interested in trying it out. Any feedback you can give will be
> >> >appreciated. Just comment on the issue.
> >> >
> >> >
> >> >> 2. In our LDAP, user entry has multi-valued attributes isMemberOf,
> >>can
> >> >>we
> >> >> set up redback to check this attribute, so if user is not belong to
> >> >> certain group, archiva will redirect the user to unauthorized page.
> >>If
> >> >> this feature does not exist yet, please point me the direction and
I
> >>am
> >> >> willing to do the customized code change.
> >> >>
> >> >
> >> >AFAIK, redback doesn't use membership attributes in LDAP for
> >> >authorization.
> >> >One reason is that there are multiple ways that membership is handled
> >>in
> >> >various LDAP implementations/schemas. Due to the complexity of trying
> >>to
> >> >safely manage LDAP directories, redback doesn't manipulate the
> >>directory.
> >> >It
> >> >only reads from them. This allows users to authenticate with consistent
> >> >logins, and management of permissions happens at the application level
> >> >(not
> >> >the directory level).
> >> >
> >> >
> >> >> 3. There is settings.xml file in my local ~/.m2/ folder, this
> >> >>settings.xml
> >> >> include my login credential, can we skip the credential and force
> >>user
> >> >>to
> >> >> login when he trying to use archiva and keep a session so he can use
> >>the
> >> >> archiva without login again if the session is alive?
> >> >>
> >> >> And again, if any above feature does not exist, I am willing to add
> >>it.
> >> >>
> >> >
> >> >Not sure what you're asking about here. The settings.xml file is
> >>primarily
> >> >used by maven plugins to authenticate. Are you suggesting that the http
> >> >session be shared across your maven builds and your web browser?
> >> >
> >> >
> >> >> Regards,
> >> >>
> >> >> Yi
> >> >>
> >> >>
> >> >> On 2/14/11 11:34 PM, "Brett Porter" <brett@apache.org> wrote:
> >> >>
> >> >> >Did you go ahead with that screen and then check what "User
> >>Management"
> >> >> >showed for available users?
> >> >> >
> >> >> >Did you configure a linked admin account in LDAP in
> >> >>security.properties?
> >> >> >
> >> >> >- Brett
> >> >> >
> >> >> >On 15/02/2011, at 10:10 AM, Qian, Yi wrote:
> >> >> >
> >> >> >> Hello, experts
> >> >> >>
> >> >> >> I am trying to set up archiva 1.3.3 to authenticate against
LDAP
> >> >> >>server. I
> >> >> >> followed the instrution of LDAP Integration on Redback website.
> >> >> >> Uncommented components element of  LDAP connection factory
and
> >>user
> >> >> >>mapper
> >> >> >> in application.xml located in /WEB-INF/classes/META-INF/plexus.
> >>Added
> >> >> >> connection information and attributes mapping in
> >>security.properties
> >> >> >> located in /WEB-INF/classes/org/apache/maven/archiva. I started
> >> >>archiva,
> >> >> >> accessing http://localhost:8080/archiva brings me to
> >> >> >> security/addadmin.action page. Could you tell me what I missed?
> >> >> >>
> >> >> >> Thanks,
> >> >> >>
> >> >> >> Yi
> >> >> >>
> >> >> >
> >> >> >--
> >> >> >Brett Porter
> >> >> >brett@apache.org
> >> >> >http://brettporter.wordpress.com/
> >> >> >http://au.linkedin.com/in/brettporter
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >>
> >> >>
> >>
> >>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message