Authenication Scheme

I create a custom  Login Module called SitemeinderLoginModule  when I login as the System Admin
I am not able to create a new user.  I see the following message on the userList page:

"User accounts in               the current authentication scheme are created automatically upon login."

My main-config.xml contains the <auth-type> shown below:

  <auth-type>
     <!-- <login-module /> -->
    <login-module />
    <guest-login allowed="true" guest-username="guest" />
    <free-registration allowed="false" />
  </auth-type>

I don't want a user to be automatically created on login. User should be created by an admin or prepopulated

by the LDAP sync tool initially. I want Siteminder to authenticate and put user credential in the request header. Upon

access to Teamcity I want to retrieve user credentials from the request header and go against Teamcity user database

to make sure the user exist. If user exist then display the overview page with the user logged in. If the user credential

from the request header is not found in the teamcity user database then the user should get the message

"authentication failed"

How can I  allow the Sytem Admin the rights to create users from Teamcity while still using a Custom Login Module?

6 comments

Hi Paul,

> How can I  allow the Sytem Admin the rights to create users from Teamcity while still using a Custom Login Module?
This is not possible out of the box, manual user creation by system admin is available only when DefaultLoginModule is used.

But you can:
- create users on demand from your plugin, just like LDAP plugin does;
- deny user authorization whenever you choose, so these users won't be created in TeamCity, because they cannot authenticate.

Does it sound good in your case?


---
Maxim

0

I see the logic because a user is authenticated the user is automatically created in Teamcity if the user does not already exists.
That functionality is fine and I understand it but the System Admin should always be able to create a new user manually. The fact,
that you are a System Admin means you should have the right to perform all functions.

0

Hi Paul,

Originally it was assumed that if the System Admin needs to be able to manage user creation/deletion, default scheme should suffice.
In other cases (NT domain, LDAP, etc) user management is performed by external components completely. E.g. TeamCity cannot create or delete users in LDAP. That's why no links are shown to the administrator.

We might want to make this scheme more flexible, considering your case. Could you please file a request in our tracker at http://youtrack.jetbrains.net/issues/TW ?

---
Maxim

0

Thank you I see your logic and it makes sense. I can live without the System Admin manually creating users.
Since a user who isn't in the Teamcity database will be created automatically after the user is authenticated
by Siteminder. I do have a question though, how can I populate a user object with a firstname, lastname and email
address programmatically so when Teamcity creates the user the Teamcity database will contain the data?Currently
when Teamcity creates a user only the username field is populated.

0

Hi Paul,

If I understand your issue correctly, then this is a known bug (http://youtrack.jetbrains.net/issue/TW-14013). Do you have the same problem?
If yes, at least there is a workaround.


---
Maxim

0

I figured out how to update a user after they login. The myLoginModel.login() method returns a User object
upon successful login. You can then call SessionUser.getUser(request) which returns a SUser object from
the request object you can then call the updateUserAccount() method and update the fullname and email address
fields. The code snippet below shows how to do so:

               User currentUser = myLoginModel.login(username, password, request);


               if(isEmpty(currentUser.getName()) || isEmpty(currentUser.getEmail())) {
                   SUser user = SessionUser.getUser(request);
                   user.updateUserAccount(currentUser.getUsername(), "John Doe", john.doe@jetbrains.com");
               }


Why do I need to update the SUser object you might ask?

I am using Siteminder to authenticate NOT Teamcity so when a user authenticate their user credential which
includes their userId, first name, last name and email address gets stored in the request header. When teamcity
try to log the user in the user may not be found in the Teamcity database so teamcity automatically creates the user
using the userId that the SiteminderLoginModule added to the ServerPrincipal object need for successful login.
However the user gets created by Teamcity without a no fullname or email address. Since Siteminder provides
the first and last names and email out of the box I can update the SUser object with first+last name and email
address from the request header. All this takes place before the user is redirected to the main page (projects page)
When the user goes to their "My settings & tools" link they will see their username, full name and email populated.

0

Please sign in to leave a comment.