archiva-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Jacobs <Chris.Jac...@apollogrp.edu>
Subject RE: LDAP authentication
Date Fri, 04 May 2012 17:14:11 GMT
I am a little disappointed; does no one use Archiva in an environment where central authentication
and disaster recovery is regarded as important?

Or perhaps this is the wrong mailing list?

Or perhaps I'm looking at the wrong documents?

security.properties file itself offers no hints.
The comments/hints in application.xml seemed to help, but it doesn't give everything that's
needed (apparently).

A google search for: archiva ldap
1) http://archiva.apache.org/redback/integration/ldap.html is out of date with the files being
shipped with Archiva.
2) https://cwiki.apache.org/ARCHIVA/howto-configure-usermanagement-with-ldap.html is missing
the actual useful bits on the page, but talks about them a lot.
3) An LDAP thread from Oct 2008 on this mailing list talks about a lack of documentation,
with a broken link to an example default config (which I managed to trace to the new repo
but that didn't help)
4) A bug report where steps similar to mine are reported but was closed without addressing
the actual issue with the only comment being "admin account was locked" - but with LDAP enabled
there doesn't appear to be an unlock option.
etc.

I'm at a loss here; I'm a system administrator - not a dev.

Anyone feel like giving me some hints?

- chris

-----Original Message-----
From: Chris Jacobs [mailto:Chris.Jacobs@apollogrp.edu]
Sent: Thursday, May 03, 2012 4:54 PM
To: users@archiva.apache.org
Subject: RE: LDAP authentication

I have managed some success by adding the lines to security.properties:

redback.default.admin=archiva-admin (a real ldap account) redback.default.guest=archiva-guest
(a real ldap account)

However, if I start with that config form the start, I am unable to login as the archiva-admin
account (even if I set it to other names which don't exist in LDAP).

I've found I can work around it by:
Install clean
Add ONLY the redback.default.admin line above Start Archiva Open page, complete admin form.
On the following ridiculous page, it requests that I now CHANGE the password.  Pffft.
Stop Archiva
Put in place the security.properties and application.xml files as below into place - with
the addition of the two redback lines above, and then start archiva.

And things work.

Problem: This kind of setup procedure is untenable from a repeatable system build (disaster
recovery is important yo) persepective.

I suspect that my configs are off somewhere where I'm unable to login as the archiva-admin
LDAP account - if I'm able to resolve this issue without having to play config file musical
chairs, I'll be golden.

Thoughts?

Thanks,
- chris

-----Original Message-----
From: Chris Jacobs [mailto:Chris.Jacobs@apollogrp.edu]
Sent: Thursday, May 03, 2012 11:27 AM
To: users@archiva.apache.org
Subject: LDAP authentication

Hello,

The documentation I've seen for configuring authentication via LDAP is sparse, inconsistent,
and out of date (Redback), so before I even go into the details of my problem I'll grant that
I may have missed something important.

I'm using the current/latest stable release of Archiva's Standalone, 1.3.5.

Here are the changes I've made from the default configuration (I haven't even tried to bring
the config and DBs from our existing 1.2.2 Archiva instance).

Diff against source of archiva/apps/archiva/WEB-INF/classes/org/apache/maven/archiva/security.properties:
(cleaned of actual DNS and DN path)
----------------------------------------------
28,41d27
<
< ldap.config.hostname=ldap-vip.example.net
< ldap.config.port=389
< ldap.config.base.dn=ou=people,dc=example,dc=net
< ldap.config.context.factory=com.sun.jndi.ldap.LdapCtxFactory
<
< ldap.config.mapper.attribute.email=mail
< ldap.config.mapper.attribute.fullname=cn
< ldap.config.mapper.attribute.password=userPassword
< ldap.config.mapper.attribute.user.id=uid
< ldap.config.mapper.attribute.user.base=ou=people,dc=example,dc=net
< ldap.config.mapper.attribute.user.object.class=inetOrgPerson
<
< ldap.bind.authenticator.enabled=true
----------------------------------------------

Diff against source of archiva/apps/archiva/WEB-INF/classes/META-INF/plexus/application.xml:
(cleaned of actual DNS and DN path)
----------------------------------------------
257c257
<     <component>
---
>     <!-- component>
266c266
<     </component>
---
>     </component-->
291c291
<     <component>
---
>     <!-- component>
296,297c296,297
<         <email-attribute>mail</email-attribute>
<         <full-name-attribute>cn</full-name-attribute>
---
>         <email-attribute>email</email-attribute>
>         <full-name-attribute>givenName</full-name-attribute>
300c300
<         <user-base-dn>ou=people,dc=example,dc=net</user-base-dn>
---
>         <user-base-dn>o=com</user-base-dn>
308c308
<     </component>
---
>     </component-->
----------------------------------------------

I can authenticate as admin just fine, when I authenticate as an LDAP user, I see in the logs:
----------------------------------------------
==> wrapper.20120503.log <==
INFO   | jvm 1    | 2012/05/03 16:34:48 | 2012-05-03 16:34:47.992::WARN:  /archiva/security/login.action
INFO   | jvm 1    | 2012/05/03 16:34:48 | java.lang.NullPointerException
INFO   | jvm 1    | 2012/05/03 16:34:48 |       at org.codehaus.plexus.redback.struts2.action.LoginAction.webLogin(LoginAction.java:341)
INFO   | jvm 1    | 2012/05/03 16:34:48 |       at org.codehaus.plexus.redback.struts2.action.LoginAction.login(LoginAction.java:133)
(continues, snipped)
----------------------------------------------
==> archiva.log <==
2012-05-03 16:34:47,940 [btpool0-3] WARN  org.codehaus.plexus.redback.authentication.users.UserManagerAuthenticator
 - Login for user csjacobs failed. user not found.
2012-05-03 16:34:47,942 [btpool0-3] INFO  org.codehaus.plexus.redback.authentication.ldap.LdapBindAuthenticator
 - Searching for users with filter: '(&(objectClass=inetOrgPerson)(uid=csjacobs))' from
base dn: ou=people,dc=unix,dc=aptimus,dc=net
2012-05-03 16:34:47,978 [btpool0-3] INFO  org.codehaus.plexus.redback.authentication.ldap.LdapBindAuthenticator
 - Found user?: true
2012-05-03 16:34:47,980 [btpool0-3] INFO  org.codehaus.plexus.redback.authentication.ldap.LdapBindAuthenticator
 - Attempting Authenication: + uid=csjacobs,ou=people,dc=unix,dc=aptimus,dc=net
----------------------------------------------

And in my browser:
----------------------------------------------
HTTP ERROR 500

Problem accessing /archiva/security/login.action. Reason:

    INTERNAL_SERVER_ERROR
Caused by:

java.lang.NullPointerException
        at org.codehaus.plexus.redback.struts2.action.LoginAction.webLogin(LoginAction.java:341)
        at org.codehaus.plexus.redback.struts2.action.LoginAction.login(LoginAction.java:133)
(continues, snipped)
----------------------------------------------

And most disturbingly, further attempts to to open any page in archiva results in a similar
error, even when I attempt to go to the logout url directly, but that's due to the account
I've attempted to login as. When I open archiva in another browser, I can open archiva without
difficulty.

Any information, assistance, etc, would be greatly appreciated.

Thanks,
- chris

Chris Jacobs
Systems Administrator, Technology Services Group

Apollo Group  |  Apollo Marketing & Product Development  |  Aptimus, Inc.
1501 4th Ave  |  Suite 2500  |  Seattle, WA 98101 direct 206.839.8245  |  cell 206.601.3256
 |  Fax 206.644.0628
email: chris.jacobs@apollogrp.edu


This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.




This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.




This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.



Mime
View raw message