So mostly implemented, you can choose more than one userManager (jdo and/or ldap) and specify the order. Feel free to try a snapshot build from here: https://builds.apache.org/view/A-F/view/Archiva/job/archiva-all-maven-3.x-jdk-1.6/ I need to add some UI improvements (magnify :-)) and verify various ui part (users tables, modifying a user) It's possible to configure ldap server too.
@Brett note security.properties is checked first and then imported in archiva.xml. So must cover your use case :-) 2012/12/4 Olivier Lamy <[email protected]>: > 2012/12/3 Sascha Vogt <[email protected]>: >> Am 03.12.2012 17:14, schrieb Olivier Lamy: >>>> I have the title a bit more concrete and a more general approach in the >>>> description. I think as in the title, having database being the backup >>>> of LDAP is a good first step, perfect would be to be able to chain >>>> various auth-modules (that way one could also have the database first, >>>> and second the LDAP, as a database lookup is much quicker than first >>>> waiting for an LDAP fail). >>> Some questions: >>> * what will be the content of the users screen (merge of n users >>> backend ? first id win ?) >>> * users backend (as ldap) can be read only so when a user is logged we >>> must which system he uses. but users can be in n systems. How do we >>> handle that ? >> >> Well, I think the easiest and most "transparent" way would be to only >> show the user from the first found auth-module. >> >> So if I configure LDAP to be the first, database second, and I have the >> same user in both, only the LDAP one is shown... I know this is not >> ideal, because if LDAP fails, the user would be looked up from the >> database and I wouldn't be able to add "rights" to that user, unless I >> first disable LDAP or shuffle the order of the auth-modules, though I >> find that tolerable. >> >> In generally one should keep the user-ids distinct otherwise everyone >> gets confused anyway, so I think this is a sensible restriction. >> >> If you want to be able to edit both accounts, just add that as a >> configuration "hiearachy", so first choose the auth-module, then show >> the users of that auth-module. If one wants to edit the other, one >> navigates up one level and selects the other module. But as I said, I >> think the hiding from above is perfectly tolerable. Though the second >> options has the advantage that from an admin point of view its always >> perfectly clear which user base I'm currently editing. >> > Sounds good and similar to what I have in mind :-) >> By the way, these are just my thoughts, feel free to ignore them ;) I > No you are probably using/managing more archiva instances than I do :-) >> can even live without the auth-module chaining by now (we finally got a >> technical user added to our active directory and even got the damn >> password policy disabled for that one *g*) >> >> Greetings >> -Sascha- > > > > -- > Olivier Lamy > Talend: http://coders.talend.com > http://twitter.com/olamy | http://linkedin.com/in/olamy -- Olivier Lamy Talend: http://coders.talend.com http://twitter.com/olamy | http://linkedin.com/in/olamy
