Authenticator management

Authenticator management
	Chapter 7. Security

Authenticator is an important concept in QuickBuild, and is available to support authenticating users through other systems, such as a LDAP server. When an user logins in, QuickBuild performs below steps internally (user caching functionality was not considered to simplify the process):

Looks if the user name exist in QuickBuild's internal database (that is, whether or not the user is listed when access the Administration/User management menu). If it exists, go to step 3; otherwise, continue with step 2.
Send out the user name/password to first authenticator in the system for authentication. If the authentication failed, the second authenticator will be used if present. This procedure will be repeated until one authenticator successfully authenticates current user, or all authenticators fail to authenticate such user. For the first case, the user will be saved into QuickBuild's user database and associated with the successful authenticator. For the latter case, the whole authentication process stops, and an error will be sent to user.
The user record is read from database to examine the authenticator property. If this property is empty, this user is considered to an QuickBuild internal user, and saved password will be compared to user supplied password to determine if the login is permitted. On the other hand, if this property is not empty, the user name/password information will be sent to the associating authenticator for authentication. If this authentication is successful, the user is allowed to login; otherwise, user login will be rejected.

Because of this, QuickBuild user database includes not only internal users added by the administrator, but also external users (refer to users authenticated through one of configured authenticators) who have successfully logged in before. External user information is kept because of several reasons:

Manage its preference over QuickBuild, such as whether or not the page should be auto-refreshed, expanding status of configuration tree, etc.
Manage user properties which may not exist in external authentication system, such as Jabber account, MSN account.

Having some concept of authenticator, now let's examine various properties you need to set when define an authenticator:

Name: This property is used to identify current authenticator.
Default groups: Specify default groups. If this authenticator is not configured to retrieve group information, default groups will be assigned when the authenticator creates an user entry in QuickBuild (user entry will be created by authentcator upon user's login if it does not exist).
Group association strategy: If this value is set to <em>add</em>, group information retrieved from the authenticator will be added to current groups if the login user entry already exists in QuickBuild. Otherwise, it replaces current groups of login user.
Authentication provider: Currently QuickBuild only supports the LDAP authentication provider. With this provider, you're able to authenticate users through various LDAP systems, such as Microsoft Active Directory, Fedora Directory Server, OpenLDAP, etc. QuickBuild not only authenticates users through these system, but also be able to retrieve user group information to associate with QuickBuild groups.

LDAP Authenticator

Below is list of properties relating to LDAP authenticator:

LDAP URL: Specifies LDAP URL, for example: ldap://localhost:389, or ldaps://localhost:636. If you are using SSL protocol (by using ldaps prefixed url), and a SSLHandshakeException is thrown with message unable to find valid certification path to requested target while authenticating the user, please make sure QuickBuild trusts the public key of your LDAP server.
Bind user: Specifies the binding user in order to perform LDAP searches. Left as empty if your LDAP server can be searched against users and groups anonymously.
Bind password: Specifies password in order to bind as above DN.
User search base: Specifies the base node for user search. For example: ou=users, dc=pmease, dc=com.
User search filter: This filte is used to determine the LDAP entry for current user. For example: (&(uid={0})(objectclass=person)). In this example, "{0}" represents login name of current user.
User full name attribute: Specifies name of the attribute inside the user entry whose value will be taken as user full name.
User email attribute: Specifies name of the attribute inside the user entry whose value will be taken as user email.
Group name attribute: Specifies the group name attribute inside a group entry. Value of this attribute will be mapped to a QuickBuild group. If this property is left empty, group information will not be retrieved and all users authenticated through this authenticator will be associated with default groups automatically; various group finding properties below will be ignored in this case.
User groups attribute: Specifies name of the attribute inside the user entry whose value contains distinguished names of belonging groups. If the user group relationship is maintained at group side, you should leave this property empty, and set various group search properties below.
Group search base: In case of user group relationship maintained at group side, this property specifies base node for group search. For example: ou=groups, dc=pmease, dc=com.
Group search filter: In case of user group relationship maintained at group side, this filter is used to determine belonging groups of current user. For example: (&(uniqueMember={0})(objectclass=groupOfUniqueNames)). In this example, "{0}" represents DN of current user.

Refer to use cases for samples of how to configure LDAP authenticator.

LDAP Authenticator (self binding)

The self binding LDAP authenticator does not need a separate binding account when authenticates user against LDAP. Instead, it binds as the login user when performs search operations in the LDAP server. Some LDAP servers may not support this mode well. In this case, you'll need to resort to the LDAP authenticator introduced in last section.

LDAP URL: Specifies LDAP URL, for example: ldap://localhost:389, or ldaps://localhost:636. If you are using SSL protocol (by using ldaps prefixed url), and a SSLHandshakeException is thrown with message unable to find valid certification path to requested target while authenticating the user, please make sure QuickBuild trusts the public key of your LDAP server.
User DN pattern: Specifies the pattern to construct DN from the login name. For example: uid={0},ou=users, dc=pmease,dc=com Here {0} will be replaced by name of the login user.
User full name attribute: Specifies name of the attribute inside the user entry whose value will be taken as user full name.
User email attribute: Specifies name of the attribute inside the user entry whose value will be taken as user email.
Group name attribute: Specifies the group name attribute inside a group entry. Value of this attribute will be mapped to a QuickBuild group. If this property is left empty, group information will not be retrieved and all users authenticated through this authenticator will be associated with default groups automatically; various group finding properties below will be ignored in this case.
User groups attribute: Specifies name of the attribute inside the user entry whose value contains distinguished names of belonging groups. If the user group relationship is maintained at group side, you should leave this property empty, and set various group search properties below.
Group search base: In case of user group relationship maintained at group side, this property specifies base node for group search. For example: ou=groups, dc=pmease, dc=com.
Group search filter: In case of user group relationship maintained at group side, this filter is used to determine belonging groups of current user. For example: (&(uniqueMember={0})(objectclass=groupOfUniqueNames)). In this example, "{0}" represents DN of current user.