Hello, Brent Thanks for the help, I was dragged by something else yesterday, will take a look on the filter.
Regards, Yi On 2/15/11 3:02 PM, "Brent Atkinson" <batkin...@apache.org> wrote: >I believe the ldap configuration allows for a configurable user filter. >You >may be able to filter based on membership to a particular group. > >Check out the user-filter attribute at >http://redback.codehaus.org/integration/ldap.html > >Brent > >On Tue, Feb 15, 2011 at 3:16 PM, Qian, Yi <yq...@ku.edu> wrote: > >> Hello, Brent >> >> For question 2, I just need to limit the access. There is no necessary >>to >> set different level of permission since archiva is used only by our team >> and it only contains the artifacts. It is good to hear that this can be >> archived by configuration. Could you please refer me to some resources >>on >> how to set up access limits? >> >> Regards, >> >> Yi >> >> On 2/15/11 1:48 PM, "Brent Atkinson" <batkin...@apache.org> wrote: >> >> >Responses in-line. >> > >> >On Tue, Feb 15, 2011 at 2:28 PM, Qian, Yi <yq...@ku.edu> wrote: >> > >> >> Hello, Brent >> >> >> >> 1. I will try the patch >> >> 2. I am not going to mess with the LDAP entries, my intention is to >> >>query >> >> the isMemberOf attribute, so the redback authentication can redirect >> >>user >> >> based on query result. >> >> >> > >> >Depending on how much control you want over the permissions granted to >> >archiva users with the LDAP groups, this could obviate the need for a >> >moderately complex mapping tool so you can say LDAP group X grants >> >permissions A, B and C. Redback assumes management of permissions at >>the >> >application level, not the directory level. Trying to invert that may >>be >> >more tricky than you might expect. Are you trying to actually manage >> >permissions in Archiva using LDAP membership, or are you just looking >>to >> >limit the users allowed to access archiva? You may be able to do the >> >latter >> >with configuration. >> > >> > >> >> 3. Following is my settings.xml in ~/.m2/ folder, which has my login >> >> credential in it, my question is I would like to avoid put even >> >>encrypted >> >> credential in a file, there is a way to force user login when using >> >> archiva, but also keep the login alive for some time period? >> >> >> >> <settings> >> >> <mirrors> >> >> <mirror> >> >> <id>internal</id> >> >> <name>Team maven repository</name> >> >> >><url>http://host:8080/archiva/repository/internal/</url> >> >> <mirrorOf>*</mirrorOf> >> >> </mirror> >> >> </mirrors> >> >> >> >> >> >> <servers> >> >> <server> >> >> <id>internal</id> >> >> <username>name</username> >> >> <password>password</password> >> >> </server> >> >> <server> >> >> <id>release</id> >> >> <username>name</username> >> >> <password>password</password> >> >> </server> >> >> <server> >> >> <id>snapshots</id> >> >> <username>name</username> >> >> <password>password</password> >> >> </server> >> >> </servers> >> >> </settings> >> >> >> >> >> >> Regards, >> >> >> >> Yi >> >> >> >> On 2/15/11 11:07 AM, "Brent Atkinson" <batkin...@apache.org> wrote: >> >> >> >> >Comments are in-line. >> >> > >> >> >On Tue, Feb 15, 2011 at 11:03 AM, Qian, Yi <yq...@ku.edu> wrote: >> >> > >> >> >> Hello, Brett and Brent >> >> >> >> >> >> Thanks for your reply. I deployed archiva as stand-alone with >>jetty >> >> >> bundle. I do not have admin user configured in LDAP. So I changed >> >> >> redback.default.admin to my ID and it works. >> >> > >> >> > >> >> > >> >> >> I still have some questions about the authentication >> >> >> 1. Do I have to set up redback.default.admin property? Seems to me >> >>the >> >> >> answer is yes because even after I commented out this property in >> >> >> security.properties file, archiva still redirected me to addadmin >> >>page. >> >> >> But If this is true, we have to create an admin account in LDAP >>only >> >>for >> >> >> archiva. >> >> >> >> >> > >> >> >An admin user is required to exist in whatever authentication source >> >> >you've >> >> >configured. If there isn't such a user, archiva will ask you to >>create >> >> >one. >> >> >Setting it to your account satisfies this admin user check. I >> >>developed a >> >> >patch for redback that allows you to create hardwired utility >>accounts >> >> >when >> >> >you can't or don't want to pollute the LDAP tree. It hasn't been >> >> >integrated >> >> >yet, mostly because I wanted to get feedback on it and because it >> >>affects >> >> >both archiva and continuum configurations. The issue is REDBACK-266 >>if >> >> >you're interested in trying it out. Any feedback you can give will >>be >> >> >appreciated. Just comment on the issue. >> >> > >> >> > >> >> >> 2. In our LDAP, user entry has multi-valued attributes isMemberOf, >> >>can >> >> >>we >> >> >> set up redback to check this attribute, so if user is not belong >>to >> >> >> certain group, archiva will redirect the user to unauthorized >>page. >> >>If >> >> >> this feature does not exist yet, please point me the direction >>and I >> >>am >> >> >> willing to do the customized code change. >> >> >> >> >> > >> >> >AFAIK, redback doesn't use membership attributes in LDAP for >> >> >authorization. >> >> >One reason is that there are multiple ways that membership is >>handled >> >>in >> >> >various LDAP implementations/schemas. Due to the complexity of >>trying >> >>to >> >> >safely manage LDAP directories, redback doesn't manipulate the >> >>directory. >> >> >It >> >> >only reads from them. This allows users to authenticate with >>consistent >> >> >logins, and management of permissions happens at the application >>level >> >> >(not >> >> >the directory level). >> >> > >> >> > >> >> >> 3. There is settings.xml file in my local ~/.m2/ folder, this >> >> >>settings.xml >> >> >> include my login credential, can we skip the credential and force >> >>user >> >> >>to >> >> >> login when he trying to use archiva and keep a session so he can >>use >> >>the >> >> >> archiva without login again if the session is alive? >> >> >> >> >> >> And again, if any above feature does not exist, I am willing to >>add >> >>it. >> >> >> >> >> > >> >> >Not sure what you're asking about here. The settings.xml file is >> >>primarily >> >> >used by maven plugins to authenticate. Are you suggesting that the >>http >> >> >session be shared across your maven builds and your web browser? >> >> > >> >> > >> >> >> Regards, >> >> >> >> >> >> Yi >> >> >> >> >> >> >> >> >> On 2/14/11 11:34 PM, "Brett Porter" <br...@apache.org> wrote: >> >> >> >> >> >> >Did you go ahead with that screen and then check what "User >> >>Management" >> >> >> >showed for available users? >> >> >> > >> >> >> >Did you configure a linked admin account in LDAP in >> >> >>security.properties? >> >> >> > >> >> >> >- Brett >> >> >> > >> >> >> >On 15/02/2011, at 10:10 AM, Qian, Yi wrote: >> >> >> > >> >> >> >> Hello, experts >> >> >> >> >> >> >> >> I am trying to set up archiva 1.3.3 to authenticate against >>LDAP >> >> >> >>server. I >> >> >> >> followed the instrution of LDAP Integration on Redback website. >> >> >> >> Uncommented components element of LDAP connection factory and >> >>user >> >> >> >>mapper >> >> >> >> in application.xml located in /WEB-INF/classes/META-INF/plexus. >> >>Added >> >> >> >> connection information and attributes mapping in >> >>security.properties >> >> >> >> located in /WEB-INF/classes/org/apache/maven/archiva. I started >> >> >>archiva, >> >> >> >> accessing http://localhost:8080/archiva brings me to >> >> >> >> security/addadmin.action page. Could you tell me what I missed? >> >> >> >> >> >> >> >> Thanks, >> >> >> >> >> >> >> >> Yi >> >> >> >> >> >> >> > >> >> >> >-- >> >> >> >Brett Porter >> >> >> >br...@apache.org >> >> >> >http://brettporter.wordpress.com/ >> >> >> >http://au.linkedin.com/in/brettporter >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> >> >> >> >> >> >> >> >> >>
