Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (nike.apache.org: domain of i.galic@brainsware.org
 designates 188.40.115.121 as permitted sender)
Date: Mon, 11 Oct 2010 06:45:59 +0000 (UTC)
From: =?utf-8?Q?Igor_Gali=C4=87?= <i.galic@brainsware.org>
To: users@tomcat.apache.org, users@archiva.apache.org
Message-ID: <119527907.4518.1286779559838.JavaMail.root@iris>
In-Reply-To: <1962037463.4516.1286779068701.JavaMail.root@iris>
Subject: Kerberos authentication
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


Hello Happy people,

I'm cross-posting this to tomcat and archiva.

In our company we have a well established Active Directory infrastructure,

I'm running an Apache Archiva 1.3.1 installation in Tomcat 6, on Solaris 10=
.
The OS has been Kerberos enabled and I would very much like to make
use of this for Tomcat/Archiva in order to provide secure authenticated
access to it.
We need to provide secure and scalable authentication.
Thus, everything else has been ruled out:

* No authentication -- not good, because we need some form of
auditing on who uploaded/deployed what (i.e.: who broke it)

* SSH/SCP doesn't scale from an administration point of view
(i.e.: we'd have to do something. That could be done wrong,
forgotten about or any number of things when people have to do
mundane tasks)

* Basic authentication -- not so good from an admin's point
of view, because clear-text passwords are stored in a
Developer's settings.xml. Not so good from a developer's
point of view, because s/he has to change their password
in settings.xml every month or so. (sic)

Given the lack of (official) documentation:
http://www.google.com/search?hl=3Den&sitesearch=3Dtomcat.apache.org&q=3Dker=
beros+OR+krb&aq=3Df&aqi=3D&aql=3D&oq=3D&gs_rfai=3D
http://wiki.apache.org/tomcat/FrontPage?action=3Dfullsearch&context=3D180&v=
alue=3Dkerberos+krb&fullsearch=3DText
http://www.google.at/search?client=3Dopera&rls=3Den&q=3Dsite:archiva.apache=
.org+kerberos+OR+krb&sourceid=3Dopera&ie=3Dutf-8&oe=3Dutf-8
http://www.google.com/search?hl=3Den&domains=3Dcwiki.apache.org%2FARCHIVA&s=
itesearch=3Dcwiki.apache.org%2FARCHIVA&q=3Dkerberos+OR+krb&sitesearch=3Dcwi=
ki.apache.org%2FARCHIVA&aq=3Df&aqi=3D&aql=3D&oq=3D&gs_rfai=3D

I was wondering if that's even in remotely in scope of
either Project.
It seems fairly simple to integrate Tomcat into a
Kerberos Infrastructure (although I haven't had the time
to do this so far), the question that remains unanswered
to me is how to make Archiva profit from such integration.

I appreciate any kind of feedback from people who similarily
are stuck between a rock and a hard place, and even more so
from those who have a sensible solution :)

So long,
i

--=20
Igor Gali=C4=87

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org