archiva-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Qian, Yi" <yq...@ku.edu>
Subject Re: authentication against LDAP
Date Wed, 16 Feb 2011 15:41:52 GMT
Hello, Brent

Thanks for the help, I was dragged by something else yesterday, will take
a look on the filter.

Regards,

Yi

On 2/15/11 3:02 PM, "Brent Atkinson" <batkinson@apache.org> wrote:

>I believe the ldap configuration allows for a configurable user filter.
>You
>may be able to filter based on membership to a particular group.
>
>Check out the user-filter attribute at
>http://redback.codehaus.org/integration/ldap.html
>
>Brent
>
>On Tue, Feb 15, 2011 at 3:16 PM, Qian, Yi <yqian@ku.edu> wrote:
>
>> Hello, Brent
>>
>> For question 2, I just need to limit the access. There is no necessary
>>to
>> set different level of permission since archiva is used only by our team
>> and it only contains the artifacts. It is good to hear that this can be
>> archived by configuration. Could you please refer me to some resources
>>on
>> how to set up access limits?
>>
>> Regards,
>>
>> Yi
>>
>> On 2/15/11 1:48 PM, "Brent Atkinson" <batkinson@apache.org> wrote:
>>
>> >Responses in-line.
>> >
>> >On Tue, Feb 15, 2011 at 2:28 PM, Qian, Yi <yqian@ku.edu> wrote:
>> >
>> >> Hello, Brent
>> >>
>> >> 1. I will try the patch
>> >> 2. I am not going to mess with the LDAP entries, my intention is to
>> >>query
>> >> the isMemberOf attribute, so the redback authentication can redirect
>> >>user
>> >> based on query result.
>> >>
>> >
>> >Depending on how much control you want over the permissions granted to
>> >archiva users with the LDAP groups, this could obviate the need for a
>> >moderately complex mapping tool so you can say LDAP group X grants
>> >permissions A, B and C. Redback assumes management of permissions at
>>the
>> >application level, not the directory level. Trying to invert that may
>>be
>> >more tricky than you might expect. Are you trying to actually manage
>> >permissions in Archiva using LDAP membership, or are you just looking
>>to
>> >limit the users allowed to access archiva? You may be able to do the
>> >latter
>> >with configuration.
>> >
>> >
>> >> 3. Following is my settings.xml in ~/.m2/ folder, which has my login
>> >> credential in it, my question is I would like to avoid put even
>> >>encrypted
>> >> credential in a file, there is a way to force user login when using
>> >> archiva, but also keep the login alive for some time period?
>> >>
>> >> <settings>
>> >>        <mirrors>
>> >>        <mirror>
>> >>                <id>internal</id>
>> >>             <name>Team maven repository</name>
>> >>              
>><url>http://host:8080/archiva/repository/internal/</url>
>> >>                <mirrorOf>*</mirrorOf>
>> >>        </mirror>
>> >>        </mirrors>
>> >>
>> >>
>> >>        <servers>
>> >>        <server>
>> >>                <id>internal</id>
>> >>                <username>name</username>
>> >>                <password>password</password>
>> >>        </server>
>> >>        <server>
>> >>                <id>release</id>
>> >>                <username>name</username>
>> >>                <password>password</password>
>> >>        </server>
>> >>        <server>
>> >>                <id>snapshots</id>
>> >>                <username>name</username>
>> >>                <password>password</password>
>> >>        </server>
>> >>        </servers>
>> >> </settings>
>> >>
>> >>
>> >> Regards,
>> >>
>> >> Yi
>> >>
>> >> On 2/15/11 11:07 AM, "Brent Atkinson" <batkinson@apache.org> wrote:
>> >>
>> >> >Comments are in-line.
>> >> >
>> >> >On Tue, Feb 15, 2011 at 11:03 AM, Qian, Yi <yqian@ku.edu> wrote:
>> >> >
>> >> >> Hello, Brett and Brent
>> >> >>
>> >> >> Thanks for your reply. I deployed archiva as stand-alone with
>>jetty
>> >> >> bundle. I do not have admin user configured in LDAP. So I changed
>> >> >> redback.default.admin to my ID and it works.
>> >> >
>> >> >
>> >> >
>> >> >> I still have some questions about the authentication
>> >> >> 1. Do I have to set up redback.default.admin property? Seems to
me
>> >>the
>> >> >> answer is yes because even after I commented out this property
in
>> >> >> security.properties file, archiva still redirected me to addadmin
>> >>page.
>> >> >> But If this is true, we have to create an admin account in LDAP
>>only
>> >>for
>> >> >> archiva.
>> >> >>
>> >> >
>> >> >An admin user is required to exist in whatever authentication source
>> >> >you've
>> >> >configured. If there isn't such a user, archiva will ask you to
>>create
>> >> >one.
>> >> >Setting it to your account satisfies this admin user check. I
>> >>developed a
>> >> >patch for redback that allows you to create hardwired utility
>>accounts
>> >> >when
>> >> >you can't or don't want to pollute the LDAP tree. It hasn't been
>> >> >integrated
>> >> >yet, mostly because I wanted to get feedback on it and because it
>> >>affects
>> >> >both archiva and continuum configurations. The issue is REDBACK-266
>>if
>> >> >you're interested in trying it out. Any feedback you can give will
>>be
>> >> >appreciated. Just comment on the issue.
>> >> >
>> >> >
>> >> >> 2. In our LDAP, user entry has multi-valued attributes isMemberOf,
>> >>can
>> >> >>we
>> >> >> set up redback to check this attribute, so if user is not belong
>>to
>> >> >> certain group, archiva will redirect the user to unauthorized
>>page.
>> >>If
>> >> >> this feature does not exist yet, please point me the direction
>>and I
>> >>am
>> >> >> willing to do the customized code change.
>> >> >>
>> >> >
>> >> >AFAIK, redback doesn't use membership attributes in LDAP for
>> >> >authorization.
>> >> >One reason is that there are multiple ways that membership is
>>handled
>> >>in
>> >> >various LDAP implementations/schemas. Due to the complexity of
>>trying
>> >>to
>> >> >safely manage LDAP directories, redback doesn't manipulate the
>> >>directory.
>> >> >It
>> >> >only reads from them. This allows users to authenticate with
>>consistent
>> >> >logins, and management of permissions happens at the application
>>level
>> >> >(not
>> >> >the directory level).
>> >> >
>> >> >
>> >> >> 3. There is settings.xml file in my local ~/.m2/ folder, this
>> >> >>settings.xml
>> >> >> include my login credential, can we skip the credential and force
>> >>user
>> >> >>to
>> >> >> login when he trying to use archiva and keep a session so he can
>>use
>> >>the
>> >> >> archiva without login again if the session is alive?
>> >> >>
>> >> >> And again, if any above feature does not exist, I am willing to
>>add
>> >>it.
>> >> >>
>> >> >
>> >> >Not sure what you're asking about here. The settings.xml file is
>> >>primarily
>> >> >used by maven plugins to authenticate. Are you suggesting that the
>>http
>> >> >session be shared across your maven builds and your web browser?
>> >> >
>> >> >
>> >> >> Regards,
>> >> >>
>> >> >> Yi
>> >> >>
>> >> >>
>> >> >> On 2/14/11 11:34 PM, "Brett Porter" <brett@apache.org> wrote:
>> >> >>
>> >> >> >Did you go ahead with that screen and then check what "User
>> >>Management"
>> >> >> >showed for available users?
>> >> >> >
>> >> >> >Did you configure a linked admin account in LDAP in
>> >> >>security.properties?
>> >> >> >
>> >> >> >- Brett
>> >> >> >
>> >> >> >On 15/02/2011, at 10:10 AM, Qian, Yi wrote:
>> >> >> >
>> >> >> >> Hello, experts
>> >> >> >>
>> >> >> >> I am trying to set up archiva 1.3.3 to authenticate against
>>LDAP
>> >> >> >>server. I
>> >> >> >> followed the instrution of LDAP Integration on Redback
website.
>> >> >> >> Uncommented components element of  LDAP connection factory
and
>> >>user
>> >> >> >>mapper
>> >> >> >> in application.xml located in /WEB-INF/classes/META-INF/plexus.
>> >>Added
>> >> >> >> connection information and attributes mapping in
>> >>security.properties
>> >> >> >> located in /WEB-INF/classes/org/apache/maven/archiva.
I started
>> >> >>archiva,
>> >> >> >> accessing http://localhost:8080/archiva brings me to
>> >> >> >> security/addadmin.action page. Could you tell me what
I missed?
>> >> >> >>
>> >> >> >> Thanks,
>> >> >> >>
>> >> >> >> Yi
>> >> >> >>
>> >> >> >
>> >> >> >--
>> >> >> >Brett Porter
>> >> >> >brett@apache.org
>> >> >> >http://brettporter.wordpress.com/
>> >> >> >http://au.linkedin.com/in/brettporter
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >>
>> >>
>>
>>


Mime
View raw message