I believe the ldap configuration allows for a configurable user filter. You may be able to filter based on membership to a particular group.
Check out the user-filter attribute at http://redback.codehaus.org/integration/ldap.html Brent On Tue, Feb 15, 2011 at 3:16 PM, Qian, Yi <yq...@ku.edu> wrote: > Hello, Brent > > For question 2, I just need to limit the access. There is no necessary to > set different level of permission since archiva is used only by our team > and it only contains the artifacts. It is good to hear that this can be > archived by configuration. Could you please refer me to some resources on > how to set up access limits? > > Regards, > > Yi > > On 2/15/11 1:48 PM, "Brent Atkinson" <batkin...@apache.org> wrote: > > >Responses in-line. > > > >On Tue, Feb 15, 2011 at 2:28 PM, Qian, Yi <yq...@ku.edu> wrote: > > > >> Hello, Brent > >> > >> 1. I will try the patch > >> 2. I am not going to mess with the LDAP entries, my intention is to > >>query > >> the isMemberOf attribute, so the redback authentication can redirect > >>user > >> based on query result. > >> > > > >Depending on how much control you want over the permissions granted to > >archiva users with the LDAP groups, this could obviate the need for a > >moderately complex mapping tool so you can say LDAP group X grants > >permissions A, B and C. Redback assumes management of permissions at the > >application level, not the directory level. Trying to invert that may be > >more tricky than you might expect. Are you trying to actually manage > >permissions in Archiva using LDAP membership, or are you just looking to > >limit the users allowed to access archiva? You may be able to do the > >latter > >with configuration. > > > > > >> 3. Following is my settings.xml in ~/.m2/ folder, which has my login > >> credential in it, my question is I would like to avoid put even > >>encrypted > >> credential in a file, there is a way to force user login when using > >> archiva, but also keep the login alive for some time period? > >> > >> <settings> > >> <mirrors> > >> <mirror> > >> <id>internal</id> > >> <name>Team maven repository</name> > >> <url>http://host:8080/archiva/repository/internal/</url> > >> <mirrorOf>*</mirrorOf> > >> </mirror> > >> </mirrors> > >> > >> > >> <servers> > >> <server> > >> <id>internal</id> > >> <username>name</username> > >> <password>password</password> > >> </server> > >> <server> > >> <id>release</id> > >> <username>name</username> > >> <password>password</password> > >> </server> > >> <server> > >> <id>snapshots</id> > >> <username>name</username> > >> <password>password</password> > >> </server> > >> </servers> > >> </settings> > >> > >> > >> Regards, > >> > >> Yi > >> > >> On 2/15/11 11:07 AM, "Brent Atkinson" <batkin...@apache.org> wrote: > >> > >> >Comments are in-line. > >> > > >> >On Tue, Feb 15, 2011 at 11:03 AM, Qian, Yi <yq...@ku.edu> wrote: > >> > > >> >> Hello, Brett and Brent > >> >> > >> >> Thanks for your reply. I deployed archiva as stand-alone with jetty > >> >> bundle. I do not have admin user configured in LDAP. So I changed > >> >> redback.default.admin to my ID and it works. > >> > > >> > > >> > > >> >> I still have some questions about the authentication > >> >> 1. Do I have to set up redback.default.admin property? Seems to me > >>the > >> >> answer is yes because even after I commented out this property in > >> >> security.properties file, archiva still redirected me to addadmin > >>page. > >> >> But If this is true, we have to create an admin account in LDAP only > >>for > >> >> archiva. > >> >> > >> > > >> >An admin user is required to exist in whatever authentication source > >> >you've > >> >configured. If there isn't such a user, archiva will ask you to create > >> >one. > >> >Setting it to your account satisfies this admin user check. I > >>developed a > >> >patch for redback that allows you to create hardwired utility accounts > >> >when > >> >you can't or don't want to pollute the LDAP tree. It hasn't been > >> >integrated > >> >yet, mostly because I wanted to get feedback on it and because it > >>affects > >> >both archiva and continuum configurations. The issue is REDBACK-266 if > >> >you're interested in trying it out. Any feedback you can give will be > >> >appreciated. Just comment on the issue. > >> > > >> > > >> >> 2. In our LDAP, user entry has multi-valued attributes isMemberOf, > >>can > >> >>we > >> >> set up redback to check this attribute, so if user is not belong to > >> >> certain group, archiva will redirect the user to unauthorized page. > >>If > >> >> this feature does not exist yet, please point me the direction and I > >>am > >> >> willing to do the customized code change. > >> >> > >> > > >> >AFAIK, redback doesn't use membership attributes in LDAP for > >> >authorization. > >> >One reason is that there are multiple ways that membership is handled > >>in > >> >various LDAP implementations/schemas. Due to the complexity of trying > >>to > >> >safely manage LDAP directories, redback doesn't manipulate the > >>directory. > >> >It > >> >only reads from them. This allows users to authenticate with consistent > >> >logins, and management of permissions happens at the application level > >> >(not > >> >the directory level). > >> > > >> > > >> >> 3. There is settings.xml file in my local ~/.m2/ folder, this > >> >>settings.xml > >> >> include my login credential, can we skip the credential and force > >>user > >> >>to > >> >> login when he trying to use archiva and keep a session so he can use > >>the > >> >> archiva without login again if the session is alive? > >> >> > >> >> And again, if any above feature does not exist, I am willing to add > >>it. > >> >> > >> > > >> >Not sure what you're asking about here. The settings.xml file is > >>primarily > >> >used by maven plugins to authenticate. Are you suggesting that the http > >> >session be shared across your maven builds and your web browser? > >> > > >> > > >> >> Regards, > >> >> > >> >> Yi > >> >> > >> >> > >> >> On 2/14/11 11:34 PM, "Brett Porter" <br...@apache.org> wrote: > >> >> > >> >> >Did you go ahead with that screen and then check what "User > >>Management" > >> >> >showed for available users? > >> >> > > >> >> >Did you configure a linked admin account in LDAP in > >> >>security.properties? > >> >> > > >> >> >- Brett > >> >> > > >> >> >On 15/02/2011, at 10:10 AM, Qian, Yi wrote: > >> >> > > >> >> >> Hello, experts > >> >> >> > >> >> >> I am trying to set up archiva 1.3.3 to authenticate against LDAP > >> >> >>server. I > >> >> >> followed the instrution of LDAP Integration on Redback website. > >> >> >> Uncommented components element of LDAP connection factory and > >>user > >> >> >>mapper > >> >> >> in application.xml located in /WEB-INF/classes/META-INF/plexus. > >>Added > >> >> >> connection information and attributes mapping in > >>security.properties > >> >> >> located in /WEB-INF/classes/org/apache/maven/archiva. I started > >> >>archiva, > >> >> >> accessing http://localhost:8080/archiva brings me to > >> >> >> security/addadmin.action page. Could you tell me what I missed? > >> >> >> > >> >> >> Thanks, > >> >> >> > >> >> >> Yi > >> >> >> > >> >> > > >> >> >-- > >> >> >Brett Porter > >> >> >br...@apache.org > >> >> >http://brettporter.wordpress.com/ > >> >> >http://au.linkedin.com/in/brettporter > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > >> >> > >> > >> > >
