-
Suggestion
-
Resolution: Fixed
-
None
-
4
-
attached is some code to do LDAP authentication in JIRA in an interesting way.
the idea is to use LDAP "lazily". Here's the text of a message to jira-user that describes the basic idea:
====================
the way we chose to manage this was to leave "external user
management" OFF, and to write a custom "credentials provider" that
worked the way we wanted.
it was not completely simple, because of how the osuser framework
works, but we managed to more or less get it working the way we
wanted.
our LDAP credentials provider contains a reference to an "underlying"
OfBiz (standard) credentials provider. it works by first
authenticating the user against LDAP, then:
if the authentication was successful
if the user exists in the underlying provider
succeed
else
create the user in the underlying provider, using info from LDAP,
and succeed
else
if the user exists in the underlying provider
if we can authenticate the user in the underlying provider
succeed
else
fail
this means that users are created in JIRA's database on-demand. it
also means that if our LDAP goes down, people with existing JIRA
accounts can still login to JIRA, using their passwords in the
underlying provider. which is nice since we use JIRA (among other
things) to report system/network problems with things like LDAP
servers.
one problem (and here my memory fails a bit, so I might get some
details wrong) is that we still can't use JIRA's Add User feature
directly. There should be no reason why this wouldn't work, but a
quirk in the OSUser framework prevents it. Basically (again, IIRC)
there is a "handles" method that providers need to implement, and
this method is called with the username before any other methods
(authenticate, create, etc.) are called. When adding a user (this is
assuming we're using the same uid as in LDAP) the framework first
checks if our provider handles that UID. since it does (the uid
already exists in LDAP) it doesn't make sense to create it, so the
Add User fails, even though the user doesn't exist in the underlying
provider.
this isn't a big deal, usually, since people can just login on their
own and everything will be created for them. the only problem is if
you (the admin) wanted to create a user and add them to some groups.
to get around this, we also wrote a "backdoor" action, accessible
from the web but not part of JIRA's main interface, that can
manipulate the ofbiz database more or less directly. we use this if
we need to add new users to specific groups.
====================
- relates to
-
JRASERVER-1962 Improve the LDAP stack in JIRA
- Closed
-
JRASERVER-11174 auto create user on login - with LDAP authentication
- Closed