archiva-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Jacobs <>
Subject RE: LDAP authentication
Date Fri, 04 May 2012 17:14:11 GMT
I am a little disappointed; does no one use Archiva in an environment where central authentication
and disaster recovery is regarded as important?

Or perhaps this is the wrong mailing list?

Or perhaps I'm looking at the wrong documents? file itself offers no hints.
The comments/hints in application.xml seemed to help, but it doesn't give everything that's
needed (apparently).

A google search for: archiva ldap
1) is out of date with the files being
shipped with Archiva.
2) is missing
the actual useful bits on the page, but talks about them a lot.
3) An LDAP thread from Oct 2008 on this mailing list talks about a lack of documentation,
with a broken link to an example default config (which I managed to trace to the new repo
but that didn't help)
4) A bug report where steps similar to mine are reported but was closed without addressing
the actual issue with the only comment being "admin account was locked" - but with LDAP enabled
there doesn't appear to be an unlock option.

I'm at a loss here; I'm a system administrator - not a dev.

Anyone feel like giving me some hints?

- chris

-----Original Message-----
From: Chris Jacobs []
Sent: Thursday, May 03, 2012 4:54 PM
Subject: RE: LDAP authentication

I have managed some success by adding the lines to

redback.default.admin=archiva-admin (a real ldap account) redback.default.guest=archiva-guest
(a real ldap account)

However, if I start with that config form the start, I am unable to login as the archiva-admin
account (even if I set it to other names which don't exist in LDAP).

I've found I can work around it by:
Install clean
Add ONLY the redback.default.admin line above Start Archiva Open page, complete admin form.
On the following ridiculous page, it requests that I now CHANGE the password.  Pffft.
Stop Archiva
Put in place the and application.xml files as below into place - with
the addition of the two redback lines above, and then start archiva.

And things work.

Problem: This kind of setup procedure is untenable from a repeatable system build (disaster
recovery is important yo) persepective.

I suspect that my configs are off somewhere where I'm unable to login as the archiva-admin
LDAP account - if I'm able to resolve this issue without having to play config file musical
chairs, I'll be golden.


- chris

-----Original Message-----
From: Chris Jacobs []
Sent: Thursday, May 03, 2012 11:27 AM
Subject: LDAP authentication


The documentation I've seen for configuring authentication via LDAP is sparse, inconsistent,
and out of date (Redback), so before I even go into the details of my problem I'll grant that
I may have missed something important.

I'm using the current/latest stable release of Archiva's Standalone, 1.3.5.

Here are the changes I've made from the default configuration (I haven't even tried to bring
the config and DBs from our existing 1.2.2 Archiva instance).

Diff against source of archiva/apps/archiva/WEB-INF/classes/org/apache/maven/archiva/
(cleaned of actual DNS and DN path)
< ldap.config.port=389
< ldap.config.base.dn=ou=people,dc=example,dc=net
< ldap.config.context.factory=com.sun.jndi.ldap.LdapCtxFactory
< ldap.config.mapper.attribute.fullname=cn
< ldap.config.mapper.attribute.password=userPassword
< ldap.config.mapper.attribute.user.base=ou=people,dc=example,dc=net
< ldap.config.mapper.attribute.user.object.class=inetOrgPerson
< ldap.bind.authenticator.enabled=true

Diff against source of archiva/apps/archiva/WEB-INF/classes/META-INF/plexus/application.xml:
(cleaned of actual DNS and DN path)
<     <component>
>     <!-- component>
<     </component>
>     </component-->
<     <component>
>     <!-- component>
<         <email-attribute>mail</email-attribute>
<         <full-name-attribute>cn</full-name-attribute>
>         <email-attribute>email</email-attribute>
>         <full-name-attribute>givenName</full-name-attribute>
<         <user-base-dn>ou=people,dc=example,dc=net</user-base-dn>
>         <user-base-dn>o=com</user-base-dn>
<     </component>
>     </component-->

I can authenticate as admin just fine, when I authenticate as an LDAP user, I see in the logs:
==> wrapper.20120503.log <==
INFO   | jvm 1    | 2012/05/03 16:34:48 | 2012-05-03 16:34:47.992::WARN:  /archiva/security/login.action
INFO   | jvm 1    | 2012/05/03 16:34:48 | java.lang.NullPointerException
INFO   | jvm 1    | 2012/05/03 16:34:48 |       at org.codehaus.plexus.redback.struts2.action.LoginAction.webLogin(
INFO   | jvm 1    | 2012/05/03 16:34:48 |       at org.codehaus.plexus.redback.struts2.action.LoginAction.login(
(continues, snipped)
==> archiva.log <==
2012-05-03 16:34:47,940 [btpool0-3] WARN  org.codehaus.plexus.redback.authentication.users.UserManagerAuthenticator
 - Login for user csjacobs failed. user not found.
2012-05-03 16:34:47,942 [btpool0-3] INFO  org.codehaus.plexus.redback.authentication.ldap.LdapBindAuthenticator
 - Searching for users with filter: '(&(objectClass=inetOrgPerson)(uid=csjacobs))' from
base dn: ou=people,dc=unix,dc=aptimus,dc=net
2012-05-03 16:34:47,978 [btpool0-3] INFO  org.codehaus.plexus.redback.authentication.ldap.LdapBindAuthenticator
 - Found user?: true
2012-05-03 16:34:47,980 [btpool0-3] INFO  org.codehaus.plexus.redback.authentication.ldap.LdapBindAuthenticator
 - Attempting Authenication: + uid=csjacobs,ou=people,dc=unix,dc=aptimus,dc=net

And in my browser:

Problem accessing /archiva/security/login.action. Reason:

Caused by:

        at org.codehaus.plexus.redback.struts2.action.LoginAction.webLogin(
        at org.codehaus.plexus.redback.struts2.action.LoginAction.login(
(continues, snipped)

And most disturbingly, further attempts to to open any page in archiva results in a similar
error, even when I attempt to go to the logout url directly, but that's due to the account
I've attempted to login as. When I open archiva in another browser, I can open archiva without

Any information, assistance, etc, would be greatly appreciated.

- chris

Chris Jacobs
Systems Administrator, Technology Services Group

Apollo Group  |  Apollo Marketing & Product Development  |  Aptimus, Inc.
1501 4th Ave  |  Suite 2500  |  Seattle, WA 98101 direct 206.839.8245  |  cell 206.601.3256
 |  Fax 206.644.0628

This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.

This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.

This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.

View raw message