Redback has limited support for ldap has been added as an authentication source. Limited support for ldap means:
Configuration for ldap is actually a relatively simple procedure, a few components definitions need to be declared in an appropriate application.xml and then some configuration options must be set in the security.properties file.
These components should be defined in the applicable spring configuration files
<bean name="ldapConnectionFactory" class="org.apache.archiva.redback.common.ldap.connection.ConfigurableLdapConnectionFactory"> <property name="userConf" ref="userConfiguration"/> </bean>
In security.properties files
<bean name="ldapUserMapper" class="org.apache.archiva.redback.common.ldap.user.LdapUserMapper"> <property name="emailAttribute" value="email"/> <property name="fullNameAttribute" value="givenName"/> <property name="passwordAttribute" value="userPassword"/> <property name="userIdAttribute" value="cn"/> <property name="userBaseDn" value="o=com"/> <property name="userObjectClass" value="inetOrgPerson"/> <property name="userConf" ref="userConfiguration"/> </bean>
<bean name="userSecurityPolicy" class="org.apache.archiva.redback.policy.DefaultUserSecurityPolicy"> <property name="config" ref="userConfiguration"/> <property name="passwordEncoder" ref="passwordEncoder#sha1"/> <property name="userValidationSettings" ref="userValidationSettings"/> <property name="rememberMeCookieSettings" ref="cookieSettings#rememberMe"/> <property name="signonCookieSettings" ref="cookieSettings#signon"/> <property name="rules"> add the rules you want to applied <list> <ref bean="passwordRule#alpha-count"/> <ref bean="passwordRule#alpha-numeric"/> <ref bean="passwordRule#character-length"/> <ref bean="passwordRule#must-have"/> <ref bean="passwordRule#no-whitespaces"/> <ref bean="passwordRule#numerical-count"/> </list> </property> </bean>
These properties should be set as shown:
user.manager.impl=ldap ldap.bind.authenticator.enabled=true redback.default.admin=admin redback.default.guest=guest security.policy.password.expiration.enabled=false
The user.manager.impl is the role hint that is used to determine which user manaher to use while running. The default is 'cached' and if this is desired to be used with ldap then you must include the component declartion below in the caching section for the cached UserManager that sets the underlying userImpl to ldap.
The ldap.bind.authenitcator.enabled boolean value will toggle the use of authenticator that will authenticate using the bind operation. There are two different mechanisms used to authenticate with ldap, either the bind authenticator which is a standard way to authentication, and then the user manager password validation approach. If this is desired then you must ensure that the security policy is configured to use the correct password encoding. Normally the bind authenticator is simply enabled since this bypasses concerns of password encoding.
It is also now possible to redefine the basic admin user and guest user names. Since its unlikely that ldap oriented authentication systems will have a specific admin or guest user these can be redefined simply in the security.properties. Care must be taken that they exist in the ldap system since they are looked up. Guest users can be simple utilitie or application users.
The final setting of security.policy.password.expiration.enabled is a boolean that should be set to false for ldap based authentication. This is because redback will want to attempt to manage and enforce password expiration and that is no longer under the direction of redback but is an artifact of the ldap system in place. Setting this to false prevents issues from cropping up related to redback trying to obtain this type of information.