Hello all, Our httpd hosts a large variety of web applications using various technologies, including a mod_jk proxy to Tomcat, where archiva is hosted. It also protects everything with SSL and mod_sspi, meaning that users get an authentication prompt and use their domain credentials to log in. Some applications, like svn, can then use these credentials without having their own authentication layer. I can't figure out how to get Archiva to do something similar, however. mod_jk appears to be sending my username to Tomcat:
02c0 63 3D 00 A0 08 00 01 30 00 03 00 14 46 4F 52 57 - c=.....0....FORW 02d0 41 52 44 53 4C 4F 50 45 5C 64 70 61 72 6B 65 72 - ARDSLOPE\dparker 02e0 00 04 00 04 4E 54 4C 4D 00 FF 00 00 00 00 00 00 - ....NTLM........ (See "Attributes" here: http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html) (I can't find any docs that guarantee that getRemoteUser() responds with this username. Is there any way for me to tell if it's propagating correctly?) Anyway, if it is propagating correctly, how can I convince Archiva and/or Redback to just accept these credentials? Tomcat is only listening on local interfaces and is hidden from the outside world, so I accept the security risks of doing so. Bonus question: can user mapping against LDAP still succeed in this case? (It'd be nice to grab roles for the current user from LDAP.) Thanks one million, Dustin
