You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@archiva.apache.org by "Polte, Oliver" <ol...@ivi.de> on 2014/08/19 12:11:13 UTC
Issues in LDAP Role Mapping & Filter
Hi,
I am having 2 Issues with Archiva 2.1.0 Standalone and LDAP Authentification.
1.
After adding <filter> in the Archiva.xml, the property ldap.config.mapper.attribute.user.filter will show up in the Redback Runtime Configuration
I can then add an ldap filter to the properties -> save -> Web Interface will show "LDAP Role-Group mapping updated" and the filter works!
The Archiva.xml is modified by the Web Interface, adding a <filter> tag for every comma separated Part.
<filter>memberOf=CN=archiva_user</filter>
<filter>OU=Archiva</filter>
<filter>OU=Applikation</filter>
<filter>OU=Groups</filter>
<filter>DC=domain</filter>
<filter>DC=com</filter>
On Restart of the Service, the Configuration XML is modified and only 1 <filter> tag remains.
<filter>memberOf=CN=archiva_user</filter>
Users are no longer seen and unable to login.
2.
Group-Role Mapping fails in Active Directory with comma separated Objects.
Users in AD created with a comma -> "Smith, John" are not mapped to their Roles in Redback.
AD will create a Backslash in front of the comma for the Object Name, but not in the cn attribute.
Object name in ldap is "Smith\, John"
distinguishedName "cn=Smith\, John,ou=department,dc=domain,dc=com"
The cn attribute inside the object is "Smith, John"
The member attribute in a group will show the distinguishedName
When the comma is removed from the object name, mapping immediately works.
(AD will not show the backslash, Softerra LDAP Browser was used to see them)
Mit besten Grüßen
Oliver Polte | Systemtechnik
IVI Informationsverarbeitungs GmbH
Itzehoer Platz, 25524 Itzehoe
Telefon: +49 4821 8040-428
E-Mail: oliver.polte@ivi.de<ma...@ivi.de>
Internet: http://www.ivi.de/
_____________________________________________________________________
IVI Informationsverarbeitungs GmbH
Itzehoer Platz, 25524 Itzehoe
Geschäftsführer: Uwe Müller, Stefan Schwalbach
Sitz: Itzehoe, Registergericht: Amtsgericht Pinneberg
HRB 2073 IZ, USt.-ID-Nr. DE 134 777 598
_____________________________________________________________________
Re: Issues in LDAP Role Mapping & Filter
Posted by Jonathan Sharp <fo...@gmail.com>.
Hi Oliver,
Does the workaround in this jira issue address your #1?
<https://jira.codehaus.org/browse/MRM-1486>
https://jira.codehaus.org/browse/MRM-1486
For #2, what sort of failure and log/error messages are you seeing?
Best,
Jon Sharp
On Tue, Aug 19, 2014 at 3:11 AM, Polte, Oliver <ol...@ivi.de> wrote:
> Hi,
>
>
> I am having 2 Issues with Archiva 2.1.0 Standalone and LDAP
> Authentification.
>
>
> 1.
> After adding <filter> in the Archiva.xml, the property
> ldap.config.mapper.attribute.user.filter will show up in the Redback
> Runtime Configuration
> I can then add an ldap filter to the properties -> save -> Web Interface
> will show "LDAP Role-Group mapping updated" and the filter works!
>
> The Archiva.xml is modified by the Web Interface, adding a <filter> tag
> for every comma separated Part.
>
> <filter>memberOf=CN=archiva_user</filter>
> <filter>OU=Archiva</filter>
> <filter>OU=Applikation</filter>
> <filter>OU=Groups</filter>
> <filter>DC=domain</filter>
> <filter>DC=com</filter>
>
> On Restart of the Service, the Configuration XML is modified and only 1
> <filter> tag remains.
>
> <filter>memberOf=CN=archiva_user</filter>
>
> Users are no longer seen and unable to login.
>
>
> 2.
> Group-Role Mapping fails in Active Directory with comma separated Objects.
>
> Users in AD created with a comma -> "Smith, John" are not mapped to their
> Roles in Redback.
>
> AD will create a Backslash in front of the comma for the Object Name, but
> not in the cn attribute.
>
> Object name in ldap is "Smith\, John"
> distinguishedName "cn=Smith\, John,ou=department,dc=domain,dc=com"
>
> The cn attribute inside the object is "Smith, John"
> The member attribute in a group will show the distinguishedName
>
> When the comma is removed from the object name, mapping immediately works.
> (AD will not show the backslash, Softerra LDAP Browser was used to see
> them)
>
>
>
> Mit besten Grüßen
> Oliver Polte | Systemtechnik
>
> IVI Informationsverarbeitungs GmbH
> Itzehoer Platz, 25524 Itzehoe
> Telefon: +49 4821 8040-428
> E-Mail: oliver.polte@ivi.de<ma...@ivi.de>
> Internet: http://www.ivi.de/
>
>
> _____________________________________________________________________
> IVI Informationsverarbeitungs GmbH
> Itzehoer Platz, 25524 Itzehoe
> Geschäftsführer: Uwe Müller, Stefan Schwalbach
> Sitz: Itzehoe, Registergericht: Amtsgericht Pinneberg
> HRB 2073 IZ, USt.-ID-Nr. DE 134 777 598
> _____________________________________________________________________
>