Is there any way to sync all users groups from LDAP to Artifactory at will using HTTP SSO?

Although this functionality isn't built-in with Artifactory and HTTP SSO, it's possible to do this with a User Plugin.

This solution assumes that the Active Directory groups are defined in Artifactory prior to the users login.

You should create a user plugin file under 

$ARTIFACTORY_HOMEetcplugins, that utilizes the 'realms' functionallity




realms {

    myrealm([autoCreateUsers: false, realmPolicy: RealmPolicy.ADDITIVE]) {

        authenticate { username, credentials ->

   'before user.groups: ' + user.groups)

   'before groups: ' + groups)

            def settings = new LdapGroupsSettings()

            settings.ldapGroupSettingsName = 'LDAPTest'

            groups += security.getCurrentUserGroupNames(settings)

   'after user.groups: ' + user.groups)

   'after groups: ' + groups)

            return true




Please change 'LDAPTest' to the corresponding ldap group settings name in Artifactory.

Restart Artifactory in order to load the plugin.

After that,

Once user is connecting to artifactory, his ldap groups will be assigned to him automatically upon the login.

You can test this functionality with this command:

curl  -H "REMOTE_USER: LdapUser" http://localhost:8081/artifactory/api/system/ping

This emulates an HTTP SSO login (notice the REMOTE_USER header). After you run this command, if everything is working correctly, this is what you will see in the logs:


2016-04-18 18:04:02,657 [http-nio-8081-exec-2] [INFO ] (samplePlugin_v4 :7) - before user.groups: [readers]

2016-04-18 18:04:02,657 [http-nio-8081-exec-2] [INFO ] (samplePlugin_v4 :8) - before groups: [readers]

2016-04-18 18:04:04,939 [http-nio-8081-exec-2] [INFO ] (samplePlugin_v4 :12) - after user.groups: [readers, support-team]

2016-04-18 18:04:04,939 [http-nio-8081-exec-2] [INFO ] (samplePlugin_v4 :13) - after groups: [readers, support-team]

Notice that the ldap group "support-team" is added to the existing groups list of the user.