2012/12/3 Sascha Vogt <[email protected]>: > Am 03.12.2012 17:14, schrieb Olivier Lamy: >>> I have the title a bit more concrete and a more general approach in the >>> description. I think as in the title, having database being the backup >>> of LDAP is a good first step, perfect would be to be able to chain >>> various auth-modules (that way one could also have the database first, >>> and second the LDAP, as a database lookup is much quicker than first >>> waiting for an LDAP fail). >> Some questions: >> * what will be the content of the users screen (merge of n users >> backend ? first id win ?) >> * users backend (as ldap) can be read only so when a user is logged we >> must which system he uses. but users can be in n systems. How do we >> handle that ? > > Well, I think the easiest and most "transparent" way would be to only > show the user from the first found auth-module. > > So if I configure LDAP to be the first, database second, and I have the > same user in both, only the LDAP one is shown... I know this is not > ideal, because if LDAP fails, the user would be looked up from the > database and I wouldn't be able to add "rights" to that user, unless I > first disable LDAP or shuffle the order of the auth-modules, though I > find that tolerable. > > In generally one should keep the user-ids distinct otherwise everyone > gets confused anyway, so I think this is a sensible restriction. > > If you want to be able to edit both accounts, just add that as a > configuration "hiearachy", so first choose the auth-module, then show > the users of that auth-module. If one wants to edit the other, one > navigates up one level and selects the other module. But as I said, I > think the hiding from above is perfectly tolerable. Though the second > options has the advantage that from an admin point of view its always > perfectly clear which user base I'm currently editing. > Sounds good and similar to what I have in mind :-) > By the way, these are just my thoughts, feel free to ignore them ;) I No you are probably using/managing more archiva instances than I do :-) > can even live without the auth-module chaining by now (we finally got a > technical user added to our active directory and even got the damn > password policy disabled for that one *g*) > > Greetings > -Sascha-
-- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy
