Need help configuring Archiva LDAP configuration with anonymous snapshot deploy

[Stefaan Dutry <st...@gmail.com>]

In our current setup we only use the LDAP configuration to
authenticate and not for authorisation.

We would like to switch to using LDAP group membership to configure
group membership.

Reasons:
  -) Archiva is not able to find all LDAP users in the Users -> Manage section.
  -) The dirty workaround we used to configure user - role management
for those we couldn't find, no longer works with version 2.2.3
(abusing the REST-API)

What we managed to do so far:
  -) We managed to connect to LDAP successfully
  -) We managed to set up the groups in LDAP and configure the
LDAP/Roles Mappings
  -) We switched to only LDAP User Manager and only LDAP RBac Manager
(Users -> Users Runtime Configuration)

Problems we are having:
  -) We are no longer able to upload an artifact to the snapshot
repository. We need this because we are using jenkins to start builds
and create snapshots automatically
  -) We tried adding the roles to the Guest user, but they seem to be
automatically removed after a certain amount of time (15 min or so)
  -) Archiva tends to log me out randomly, even when i'm active.

Version: 2.2.3

Can someone help me find what settings are incorrect.

Re: Need help configuring Archiva LDAP configuration with anonymous snapshot deploy

[Stefaan Dutry <st...@gmail.com>]

Thx for your response.

> You can try to keep the default guest user as 'guest' and change the filter for the ldap query to exclude the
> guest user. But I'm not sure, if this works.
I think we'll just stay with the configuration and ignore the message
for the time being.

> Regarding the 1000 results:
> Do you have Active Directory as LDAP server running? As I know AD has a server limit for the returned results
> per query ...
Yes, our company uses Active Directory as the LDAP query.

> So sorry, that I cannot provide more useful help
Your help was useful enough for our needs.

> Feel free to create a JIRA ticket for both (or a pull request).
I'll consider it. I'd like to investigate further into the cause of
them before making a JIRA issue (and afterwards maybe a pull request).
Unfortunately i've not yet been able to decipher how the archiva
application works exactly, let alone create a possible fix/workaround.

Regards,
Stefaan Dutry

2017-11-01 16:31 GMT+01:00 Martin <ma...@apache.org>:
> Hi Stefaan,
>
> the cause seems to be plausible. That could explain, why the user was updated.
> Regarding your questions, unfortunately I think I cannot provide a proper solution:
>
> I know that there are certain parts in the code that use "guest" for the name of the guest user and as I
> know it cannot be fixed in a few lines of code.
> You can try to keep the default guest user as 'guest' and change the filter for the ldap query to exclude the
> guest user. But I'm not sure, if this works.
>
> Regarding the 1000 results:
> Do you have Active Directory as LDAP server running? As I know AD has a server limit for the returned results
> per query. The only workaround on the client would be to use paged ldap queries. But currently paged queries are not implemented
> by archiva, so there is no configuration entry to increase the result size.
>
> So sorry, that I cannot provide more useful help. Feel free to create a JIRA ticket for both (or a pull request).
>
> Greetings
>
> Martin
>
>
> Am Dienstag, 31. Oktober 2017, 09:19:13 CET schrieb stefaan.dutry@roularta.be:
>> Hello,
>>
>> Sorry for my late response. (vacation followed by other priorities at work)
>> After we finaly went back to configuring the archiva instance, it no longer started.
>>
>> We re-did the configuration.
>> Currently we have a setup as follows:
>> * UserManager(s) chosen
>>     * LDAP User Manager
>>     * Database User Manager
>> * RbacManager(s) chosen
>>     * LDAP RBac Manager
>>     * Database RBac Manager
>>
>> As additional configuration we changed the property "redback.default.guest" to "archivaguest" instead of "guest"
>> After this change, we no longer have the problem of the guest user being updated.
>> We assume the problem was caused because our LDAP had a user named "guest" which caused it to overwrite the config we had for the guestuser.
>>
>> We were able to assign roles to LDAP groups.
>>
>> There are still a few minor issues that we have:
>>
>> * when starting the application when not logged on: "Unable to find principal archivaguest"
>>       This is probably caused because we changed the redback.default.guest property.
>>       Is there a configuration we can do to prevent this message.
>>
>> * when trying to find a user, it only loads exactly 1000 users from our LDAP system. When the user is not among those 1000, you can't go to the user to check the effective roles of the user. Is this a hard maximum or is this a setting that can be changed? (applying the LDAP group to a user not in this list still works)
>>
>> Regards,
>> Stefaan Dutry
>>
>> -----Oorspronkelijk bericht-----
>> Van: Martin [mailto:martin_s@apache.org]
>> Verzonden: maandag 28 augustus 2017 21:42
>> Aan: users@archiva.apache.org
>> Onderwerp: Re: Need help configuring Archiva LDAP configuration with anonymous snapshot deploy
>>
>> Hi,
>>
>> it would be helpful, if you could provide some logs.
>> The removal of the roles from the guest user seems a bit strange. You are running a single instance only, not in a clustered environment?
>>
>> By the way, the CSRF prevention that has been introduced with version 2.2.3 can be deactivated, if you think the security risk is acceptable. Please look at the release notes.
>>
>> Greetings
>>
>> Martin
>>
>> Am Dienstag, 22. August 2017, 11:50:48 CEST schrieb Stefaan Dutry:
>> > In our current setup we only use the LDAP configuration to
>> > authenticate and not for authorisation.
>> >
>> > We would like to switch to using LDAP group membership to configure
>> > group membership.
>> >
>> > Reasons:
>> >   -) Archiva is not able to find all LDAP users in the Users -> Manage section.
>> >   -) The dirty workaround we used to configure user - role management
>> > for those we couldn't find, no longer works with version 2.2.3
>> > (abusing the REST-API)
>> >
>> > What we managed to do so far:
>> >   -) We managed to connect to LDAP successfully
>> >   -) We managed to set up the groups in LDAP and configure the
>> > LDAP/Roles Mappings
>> >   -) We switched to only LDAP User Manager and only LDAP RBac Manager
>> > (Users -> Users Runtime Configuration)
>> >
>> > Problems we are having:
>> >   -) We are no longer able to upload an artifact to the snapshot
>> > repository. We need this because we are using jenkins to start builds
>> > and create snapshots automatically
>> >   -) We tried adding the roles to the Guest user, but they seem to be
>> > automatically removed after a certain amount of time (15 min or so)
>> >   -) Archiva tends to log me out randomly, even when i'm active.
>> >
>> > Version: 2.2.3
>> >
>> > Can someone help me find what settings are incorrect.
>> >
>> >
>>
>>
>>
>
>

Re: Need help configuring Archiva LDAP configuration with anonymous snapshot deploy

[Martin <ma...@apache.org>]

Hi Stefaan,

the cause seems to be plausible. That could explain, why the user was updated.
Regarding your questions, unfortunately I think I cannot provide a proper solution:

I know that there are certain parts in the code that use "guest" for the name of the guest user and as I
know it cannot be fixed in a few lines of code.
You can try to keep the default guest user as 'guest' and change the filter for the ldap query to exclude the 
guest user. But I'm not sure, if this works.

Regarding the 1000 results:
Do you have Active Directory as LDAP server running? As I know AD has a server limit for the returned results
per query. The only workaround on the client would be to use paged ldap queries. But currently paged queries are not implemented
by archiva, so there is no configuration entry to increase the result size.

So sorry, that I cannot provide more useful help. Feel free to create a JIRA ticket for both (or a pull request).

Greetings

Martin


Am Dienstag, 31. Oktober 2017, 09:19:13 CET schrieb stefaan.dutry@roularta.be:
> Hello,
> 
> Sorry for my late response. (vacation followed by other priorities at work)
> After we finaly went back to configuring the archiva instance, it no longer started.
> 
> We re-did the configuration.
> Currently we have a setup as follows:
> * UserManager(s) chosen
>     * LDAP User Manager
>     * Database User Manager
> * RbacManager(s) chosen
>     * LDAP RBac Manager
>     * Database RBac Manager
> 
> As additional configuration we changed the property "redback.default.guest" to "archivaguest" instead of "guest"
> After this change, we no longer have the problem of the guest user being updated.
> We assume the problem was caused because our LDAP had a user named "guest" which caused it to overwrite the config we had for the guestuser.
> 
> We were able to assign roles to LDAP groups.
> 
> There are still a few minor issues that we have:
> 
> * when starting the application when not logged on: "Unable to find principal archivaguest"
>       This is probably caused because we changed the redback.default.guest property.
>       Is there a configuration we can do to prevent this message.
> 
> * when trying to find a user, it only loads exactly 1000 users from our LDAP system. When the user is not among those 1000, you can't go to the user to check the effective roles of the user. Is this a hard maximum or is this a setting that can be changed? (applying the LDAP group to a user not in this list still works)
> 
> Regards,
> Stefaan Dutry      
> 
> -----Oorspronkelijk bericht-----
> Van: Martin [mailto:martin_s@apache.org] 
> Verzonden: maandag 28 augustus 2017 21:42
> Aan: users@archiva.apache.org
> Onderwerp: Re: Need help configuring Archiva LDAP configuration with anonymous snapshot deploy
> 
> Hi,
> 
> it would be helpful, if you could provide some logs. 
> The removal of the roles from the guest user seems a bit strange. You are running a single instance only, not in a clustered environment?
> 
> By the way, the CSRF prevention that has been introduced with version 2.2.3 can be deactivated, if you think the security risk is acceptable. Please look at the release notes.
> 
> Greetings
> 
> Martin
> 
> Am Dienstag, 22. August 2017, 11:50:48 CEST schrieb Stefaan Dutry:
> > In our current setup we only use the LDAP configuration to 
> > authenticate and not for authorisation.
> > 
> > We would like to switch to using LDAP group membership to configure 
> > group membership.
> > 
> > Reasons:
> >   -) Archiva is not able to find all LDAP users in the Users -> Manage section.
> >   -) The dirty workaround we used to configure user - role management 
> > for those we couldn't find, no longer works with version 2.2.3 
> > (abusing the REST-API)
> > 
> > What we managed to do so far:
> >   -) We managed to connect to LDAP successfully
> >   -) We managed to set up the groups in LDAP and configure the 
> > LDAP/Roles Mappings
> >   -) We switched to only LDAP User Manager and only LDAP RBac Manager 
> > (Users -> Users Runtime Configuration)
> > 
> > Problems we are having:
> >   -) We are no longer able to upload an artifact to the snapshot 
> > repository. We need this because we are using jenkins to start builds 
> > and create snapshots automatically
> >   -) We tried adding the roles to the Guest user, but they seem to be 
> > automatically removed after a certain amount of time (15 min or so)
> >   -) Archiva tends to log me out randomly, even when i'm active.
> > 
> > Version: 2.2.3
> > 
> > Can someone help me find what settings are incorrect.
> > 
> > 
> 
> 
> 

RE: Need help configuring Archiva LDAP configuration with anonymous snapshot deploy

[st...@roularta.be]

Hello,

Sorry for my late response. (vacation followed by other priorities at work)
After we finaly went back to configuring the archiva instance, it no longer started.

We re-did the configuration.
Currently we have a setup as follows:
* UserManager(s) chosen
    * LDAP User Manager
    * Database User Manager
* RbacManager(s) chosen
    * LDAP RBac Manager
    * Database RBac Manager

As additional configuration we changed the property "redback.default.guest" to "archivaguest" instead of "guest"
After this change, we no longer have the problem of the guest user being updated.
We assume the problem was caused because our LDAP had a user named "guest" which caused it to overwrite the config we had for the guestuser.

We were able to assign roles to LDAP groups.

There are still a few minor issues that we have:

* when starting the application when not logged on: "Unable to find principal archivaguest"
      This is probably caused because we changed the redback.default.guest property.
      Is there a configuration we can do to prevent this message.

* when trying to find a user, it only loads exactly 1000 users from our LDAP system. When the user is not among those 1000, you can't go to the user to check the effective roles of the user. Is this a hard maximum or is this a setting that can be changed? (applying the LDAP group to a user not in this list still works)

Regards,
Stefaan Dutry      

-----Oorspronkelijk bericht-----
Van: Martin [mailto:martin_s@apache.org] 
Verzonden: maandag 28 augustus 2017 21:42
Aan: users@archiva.apache.org
Onderwerp: Re: Need help configuring Archiva LDAP configuration with anonymous snapshot deploy

Hi,

it would be helpful, if you could provide some logs. 
The removal of the roles from the guest user seems a bit strange. You are running a single instance only, not in a clustered environment?

By the way, the CSRF prevention that has been introduced with version 2.2.3 can be deactivated, if you think the security risk is acceptable. Please look at the release notes.

Greetings

Martin

Am Dienstag, 22. August 2017, 11:50:48 CEST schrieb Stefaan Dutry:
> In our current setup we only use the LDAP configuration to 
> authenticate and not for authorisation.
> 
> We would like to switch to using LDAP group membership to configure 
> group membership.
> 
> Reasons:
>   -) Archiva is not able to find all LDAP users in the Users -> Manage section.
>   -) The dirty workaround we used to configure user - role management 
> for those we couldn't find, no longer works with version 2.2.3 
> (abusing the REST-API)
> 
> What we managed to do so far:
>   -) We managed to connect to LDAP successfully
>   -) We managed to set up the groups in LDAP and configure the 
> LDAP/Roles Mappings
>   -) We switched to only LDAP User Manager and only LDAP RBac Manager 
> (Users -> Users Runtime Configuration)
> 
> Problems we are having:
>   -) We are no longer able to upload an artifact to the snapshot 
> repository. We need this because we are using jenkins to start builds 
> and create snapshots automatically
>   -) We tried adding the roles to the Guest user, but they seem to be 
> automatically removed after a certain amount of time (15 min or so)
>   -) Archiva tends to log me out randomly, even when i'm active.
> 
> Version: 2.2.3
> 
> Can someone help me find what settings are incorrect.
> 
> 

Re: Need help configuring Archiva LDAP configuration with anonymous snapshot deploy

[Martin <ma...@apache.org>]

Hi,

it would be helpful, if you could provide some logs. 
The removal of the roles from the guest user seems a bit strange. You are running a
single instance only, not in a clustered environment?

By the way, the CSRF prevention that has been introduced with version 2.2.3 can be deactivated, if
you think the security risk is acceptable. Please look at the release notes.

Greetings

Martin

Am Dienstag, 22. August 2017, 11:50:48 CEST schrieb Stefaan Dutry:
> In our current setup we only use the LDAP configuration to
> authenticate and not for authorisation.
> 
> We would like to switch to using LDAP group membership to configure
> group membership.
> 
> Reasons:
>   -) Archiva is not able to find all LDAP users in the Users -> Manage section.
>   -) The dirty workaround we used to configure user - role management
> for those we couldn't find, no longer works with version 2.2.3
> (abusing the REST-API)
> 
> What we managed to do so far:
>   -) We managed to connect to LDAP successfully
>   -) We managed to set up the groups in LDAP and configure the
> LDAP/Roles Mappings
>   -) We switched to only LDAP User Manager and only LDAP RBac Manager
> (Users -> Users Runtime Configuration)
> 
> Problems we are having:
>   -) We are no longer able to upload an artifact to the snapshot
> repository. We need this because we are using jenkins to start builds
> and create snapshots automatically
>   -) We tried adding the roles to the Guest user, but they seem to be
> automatically removed after a certain amount of time (15 min or so)
>   -) Archiva tends to log me out randomly, even when i'm active.
> 
> Version: 2.2.3
> 
> Can someone help me find what settings are incorrect.
> 
>