How to map a HTTP SSO user to a LDAP group?

JFrog Support
2017-07-14 21:35

You may map LDAP groups with SSO users through the use of Artifactory User Plugins. The full process for working with this plugin is as follows:

<Setup LDAP & LDAP Group>

Setup and enable Artifactory LDAP and LDAP Group using this Solution (requires Jfrog Support Portal login). Import desired LDAP groups.

<Modify User Plugin>

  1. Download ‘SynchornizeLDAPGroups’ user plugin and place it under your $ARTIFACTORY_HOME/etc/plugins (or $CLUSTER_HOME/etc/plugins if you are using Artifactory 4.x with High Availability)
  2. Replace "il-users" with the name of your LDAP group SETTING (not the imported group)
  3. Inside "myrelms", add the following line to the plugin for debugging purposes only: log.debug "user " + username+" have the following groups "+ groups
  4. Add the following logging to the $ARTIFACTORY_HOME/etc/logback.xml : (no need for restart) 
    <logger name="synchronizeLdapGroups"> <level value="debug"/> </logger> 
  5. After adding the user plugin run the plugin reload rest api or restart Artifactory.

<Verify the Sync using an EXAMPLE>

  1. In order to check that SSO user is getting the right groups as he/she has in the LDAP group, an existing user named ‘shayy’. You can see that this user doesn’t exist in Artifactory:
  2. I’ve imported the LDAP group which I want the user to get its permissions. In this case, as in the plugin we used the ‘il-users’. I’ve imported 2 groups that are part of the ‘il-users’.
  3. Once I had those groups in Artifactory, I’ve created a simple SSO config so I can authenticate with a user and sync the LDAP groups this user have. Meaning that once I will login using this SSO user the plugin will give it the groups that this user have on LDAP.
  4. Run the following rest command: curl -i -H "REMOTE_USER:shayy"  http://localhost:8081/artifactory/api/system/ping
    As you can see this will provide the SSO with the header that it expects in order to authenticate the user.
  5. Once doing so the user was created with its default permissions.
  6. If you go to the artifactory.log you will be able to see that actually, although the UI doesn’t show it, the debug line we added will show you that the user is part of the groups as he have on his LDAP server. See ArtifactoryLogAfterSSO.png. This is due to the fact that the plugin will add the permissions per session and not as a constant groupsper user.
  7. In case you try to use this user with a permission that he have on the LDAP server, it will succeed as the plugin will attach those groups permission to this user.