Configuring LDAP Integration
To configure LDAP integration, click on the Enterprise LDAP menu item in Nexus Repository Manager Pro or the LDAP Configuration menu item in Nexus Repository Manager OSS in the Security menu in the left-hand main menu.
Clicking on the Enterprise LDAP/LDAP Configuration menu item will load the LDAP Configuration panel. The following sections outline the configuration options available in the LDAP Configuration panel.
Connection and Authentication
Figure 8.2, “A Simple LDAP Connection and Authentication Setup” shows a simplified LDAP configuration for the repository manager configured to connect to an LDAP server running on localhost
port 10389
using the search base of ou=system
. On a more standard installation, you would likely not want to use Simple Authentication as it sends the password in clear text over the network, and you would also use a search base that corresponds to your organization’s top-level domain components such as dc=sonatype,dc=com
.
Figure 8.2. A Simple LDAP Connection and Authentication Setup
The following parameters can be configured in the Connection and Authentication sections of the LDAP Configuration panel.
Protocol
Valid values in this drop-down are ldap
and ldaps
that correspond to the Lightweight Directory Access Protocol and the Lightweight Directory Access Protocol over SSL
Hostname
The hostname or IP address of the LDAP
Port
The port on which the LDAP server is listening. Port 389
is the default port for the ldap protocol, and port 636
is the default port for the ldaps
.
Search Base
The search base is the Distinguished Name (DN) to be appended to the LDAP query. The search base usually corresponds to the domain name of an organization. For example, the search base on the Sonatype LDAP server could be dc=sonatype,dc=com
.
Authentication Method
The repository manager provides four distinct authentication methods to be used when connecting to the LDAP Server:
Simple Authentication
Simple authentication is not recommended for production deployments not using the secure ldaps
protocol as it sends a clear-text password over the network
Anonymous Authentication
Used when the repository manager only needs read-only access to non protected entries and attributes when binding to the LDAP
Digest-MD5
This is an improvement on the CRAM-MD5 authentication method. For more information, see http://www.ietf.org/rfc/rfc2831.txt
CRAM-MD5
The Challenge-Response Authentication Method (CRAM) is based on the HMAC-MD5 MAC algorithm. In this authentication method, the server sends a challenge string to the client. The client responds with a username followed by a Hex digest that the server compares to an expected value. For more information, see RFC 2195.
For a full discussion of LDAP authentication approaches, see http://www.ietf.org/rfc/rfc2829.txt and http://www.ietf.org/rfc/rfc2251.txt.
SASL Realm
The Simple Authentication and Security Layer (SASL) realm used to connect. It is only available if the authentication method is Digest-MD5 or CRAM-MD5.
Username
Username of an LDAP user with which to connect (or bind). This is a Distinguished Name of a user who has read access to all users and groups.
Password
Password for an administrative LDAP user