How to map a HTTP SSO user to a LDAP group?

You may map LDAP groups with SSO users through the use of Artifactory User Plugins. The full process for working with this plugin is as follows:


<Setup LDAP & LDAP Group>

Setup and enable Artifactory LDAP and LDAP Group using this Solution (requires Jfrog Support Portal login).

<Modify User Plugin>

  1. Download SynchornizeLDAPGroups’ user plugin and place it under your $ARTIFACTORY_HOME/etc/plugins (or $CLUSTER_HOME/etc/plugins if you are using High Availability)
  2. Replace “il-users” with the name of your LDAP group that has been imported to Artifactory
  3. Inside “myrelms”, add the following line to the plugin for debugging purposes only: log.debug “user ” + username+” have the following groups “+ groups
  4. Add the following logging to the $ARTIFACTORY_HOME/etc/logback.xml : (no need for restart) 
    <logger name="synchronizeLdapGroups"> 	<level value="debug"/> </logger> 

     

  5. After adding the user plugin run the plugin reload rest api or restart Artifactory.

<Verify the Sync using an EXAMPLE>

  1. In order to check that SSO user is getting the right groups as he/she has in the LDAP group, an existing user named ‘shayy’. You can see that this user doesn’t exist in Artifactory:
  2. I’ve imported the LDAP group which I want the user to get its permissions. In this case, as in the plugin we used the ‘il-users’. I’ve imported 2 groups that are part of the ‘il-users’.
  3. Once I had those groups in Artifactory, I’ve created a simple SSO config so I can authenticate with a user and sync the LDAP groups this user have. Meaning that once I will login using this SSO user the plugin will give it the groups that this user have on LDAP.
  4. Run the following rest command: curl -i -H “REMOTE_USER:shayy”  http://localhost:8081/artifactory/api/system/ping
    As you can see this will provide the SSO with the header that it expects in order to authenticate the user.
  5. Once doing so the user was created with its default permissions.
  6. If you go to the artifactory.log you will be able to see that actually, although the UI doesn’t show it, the debug line we added will show you that the user is part of the groups as he has on his LDAP server. See ArtifactoryLogAfterSSO.png. This is due to the fact that the plugin will add the permissions per session and not as constant groups per user.
  7. In case you try to use this user with a permission that he has on the LDAP server, it will succeed as the plugin will attach those groups permission to this user.

Disclaimer: The REMOTE_USER header is attached to the client request in this tutorial for demonstration purposes only. In a real-world setup, this header is meant to be set a proxying entity that forwards request to Artifactory, after it verifies the identity of the user on the request, usually against some other identity provider (for example Active Directory with Kerberos). You may also review our Apache HTTPD HTTP SSO solution.