Skip to main content

LDAP

Nexus Repository Manager can use the Lightweight Directory Access Protocol (LDAP) for authentication via external systems providing LDAP support such as Microsoft Exchange/Active Directory, OpenLDAP, ApacheDS, and others.

Configuring LDAP can be achieved in a few simple steps:

  • Enable LDAP Authentication Realm

  • Create LDAP server configuration with connections and user/group mapping details

  • Create external role mappings to adapt LDAP roles to repository manager-specific usage

In addition to handling authentication, the repository manager can be configured to map roles to LDAP user groups. If a user is a member of an LDAP group that matches the ID of a role, the repository manager grants that user the matching role. In addition to this highly configurable user and group mapping capability, the repository manager can augment LDAP group membership with specific user-role mapping.

The repository manager can cache authentication information and support multiple LDAP servers and user/group mappings. Connection details to the LDAP server and the user/group mappings as well as specific account logins can be tested directly from the user interface.

All these features allow you to adapt to any specific LDAP usage scenario and take advantage of the central authentication set up across your organization in all your repository managers.

Enabling the LDAP Authentication Realm

Activate your LDAP Realm by following these steps:

  • Navigate to the Realms administration section

  • Select the LDAP Realm and add it to the list of Active realms on the right

  • Ensure that the LDAP Realm is located beneath the Local Authenticating Realm in the list

  • Press Save

The best practice is to leave the Local Authenticating Realm activated so that the repository manager can be used by anonymous, admin, and other users configured in this realm even with LDAP authentication offline or unavailable. Any user account not found in the Local Authenticating Realm will be passed through to LDAP authentication.

LDAP Connection and Authentication

The LDAP feature view, displayed in Figure: “LDAP Feature View”, is available via the LDAP item in the Security section of the Administration main menu.

5411034.png

Figure: LDAP Feature View

The Order determines in which order the repository manager connects to the LDAP servers when authenticating a user. The Name and URL columns identify the configuration and clicking on an individual row provides access to the Connection and User and group configuration sections.

The Create connection button can be used to create a new LDAP server configuration. Multiple configurations can be created and are accessible in the list.

The Change order button can be used to change the order in which the repository manager queries the LDAP servers in a pop-up dialog.

Successful authentications are cached so that subsequent logins do not require a new query to the LDAP server each time. The Clear cache button can be used to remove these cached authentications.

Tip

Contact the administrator of your LDAP server to figure out the correct parameters, as they vary between different LDAP server vendors, versions, and individual configurations performed by the administrators.

The following parameters allow you to create an LDAP connection:

Name

Enter a unique name for the new configuration.

LDAP server address

Enter Protocol, Hostname, and Port of your LDAP server.

Protocol

Valid values in this drop-down are ldap and ldaps that correspond to the Lightweight Directory Access Protocol and the Lightweight Directory Access Protocol over SSL.

Hostname

The hostname or IP address of the LDAP server.

Port

The port on which the LDAP server is listening. Port 389 is the default port for the ldap protocol, and port 636 is the default port for the ldaps.

Search base DN

This field further qualifies the connection to the LDAP server. It usually corresponds to the domain name of an organization. For example: dc=example,dc=com.

Note: If the values in your Search base DN contain spaces, escape them with "%20", as in "dc=example%20corp,dc=com"

You can configure one of four authentication methods to be used when connecting to the LDAP Server with the Authentication method drop-down.

Simple Authentication

Simple authentication consists of a Username and Password. Simple authentication is not recommended for production deployments not using the secure ldaps protocol as it sends a clear-text password over the network.

Anonymous Authentication

The anonymous authentication uses the server address and search base without further authentication.

Digest-MD5

This is an improvement on the CRAM-MD5 authentication method. For more information, see RFC-2831.

CRAM-MD5

The Challenge-Response Authentication Method (CRAM) is based on the HMAC-MD5 MAC algorithm. In this authentication method, the server sends a challenge string to the client. The client responds with a username followed by a Hex digest that the server compares to an expected value. For more information, see RFC-2195.

For a full discussion of LDAP authentication approaches, see RFC-2829 and RFC-2251.

SASL Realm

The Simple Authentication and Security Layer (SASL) realm is used to connect to the LDAP server. It is only available if the authentication method is Digest-MD5 or CRAM-MD5.

Username or DN

Username or DN (Distinguished Name) of an LDAP user with read access to all necessary users and groups. It is used to connect to the LDAP server.

Password

Password for the Username or DN configured above.

To test your connection to the external LDAP server, click Verify connection. A successful connection is confirmed with a notification pop-up.

The connection details can be further refined by configuring the timeout period, retry period, and number of connection attempts in Connection rules.

Click Next to proceed to configure user and group mappings for the LDAP configuration.

Figure: “Create LDAP Connection” shows an LDAP connection configuration for the repository manager configured to connect to an LDAP server running on localhost port 10389 using the search base of ou=system.

5411035.png

Figure: Create LDAP Connection

User and Group Mapping

The LDAP connection panel contains a section to manage user and group mappings. This configuration is the next step after you configure and verify the LDAP Connection. It is a separate panel called Choose Users and Groups.

This panel provides a Configuration template drop-down, shown in Figure: “Configuration Template for Users and Groups”. Based on your template selection the rest of the field inputs will adjust to the appropriate user and group template requirements. These templates are suggestions for typical configurations used on servers such as Active Directory, Generic Ldap Server, Posix with Dynamic Groups, and Posix with Static Groups. The values are suggestions only and have to be adjusted to your specific needs based on your LDAP server configuration.

5411036.png

Figure: Configuration Template for Users and Groups

The following parameters allow you to configure your user and group elements with the repository manager:

User relative DN

Corresponds to the collection of distinguished names used as the base for user entries. This DN is relative to the Search Base DN. For example, if your users are all contained in ou=users,dc=sonatype,dc=com and you specified a Search Base DN of dc=sonatype,dc=com, you use a value of ou=users.

User subtree

Check the box if True. Uncheck if False. Values are true if there is a tree below the User relative DN field that can contain user entries and false if all users are contained within the specified User relative DN. For example, if all users are in ou=users,dc=sonatype,dc=com this field should be False. If users can appear in organizational units within organizational units such as ou=development,ou=users,dc=sonatype,dc=com, this field should be True.

Object class

This value is a standard object class defined in RFC-2798. It specifies the object class for users. Common values are inetOrgPerson, person, user, or posixAccount.

User filter

This allows you to configure a filter to limit the search for user records. It can be used as a performance improvement.

User ID attribute

This is the attribute of the object class specified above, that supplies the identifier for the user from the LDAP server. The repository manager uses this attribute as the User ID value.

Real name attribute

This is the attribute of the Object class that supplies the real name of the user. The repository manager uses this attribute when it needs to display the real name of a user similar to usage of the internal First name and Last name attributes.

Email attribute

This is the attribute of the Object class that supplies the email address of the user. The repository manager uses this attribute for the Email attribute of the user. It is used for email notifications of the user.

Password attribute

It can be used to configure the Object class, which supplies the password ("userPassword"). If this field is blank the user will be authenticated against a bind with the LDAP server. The password attribute is optional. When not configured authentication will occur as a bind to the LDAP server. Otherwise this is the attribute of the Object class that supplies the password of the user. The repository manager uses this attribute when it is authenticating a user against an LDAP server.

An automatically checked box will allow you to Map LDAP groups as roles. With the configuration, any LDAP group configured for a specific user is used to query the roles in the repository manager. Identical names trigger the user to be granted the privileges of the roles.

Groups in LDAP systems are configured to be dynamic or static. A dynamic group is a list of groups to which users belong. A static group contains a list of users. Select Dynamic Groups or Static Groups from the Group type drop-down to proceed with the appropriate configuration.

5411037.png

Figure: Static Group Element Mapping

Static groups, for example as displayed in Figure: “Static Group Element Mapping”, are configured with the following parameters:

Group relative DN

This field is similar to the User Relative DN field described for User Element Mapping, but applies to groups instead of users. For example, if your groups were defined under ou=groups,dc=sonatype,dc=com, this field would have a value of ou=groups.

Group subtree

This field is similar to the User subtree field described for User Element Mapping, but configures groups instead of users. If all groups are defined under the entry defined in Group relative DN, set the field to false. If a group can be defined in a tree of organizational units under the Group relative DN, set the field to true.

Group object class

This value in this field is a standard object class defined in RFC-2307. The class is simply a collection of references to unique entries in an LDAP directory and can be used to associate user entries with a group. Examples are groupOfUniqueNames, posixGroup or custom values.

Group ID attribute

Specifies the attribute of the object class that specifies the group identifier. If the value of this field corresponds to the ID of a role, members of this group will have the corresponding privileges.

Group member attribute

Specifies the attribute of the object class which specifies a member of a group. An example value is uniqueMember.

Group member format

This field captures the format of the Group Member Attribute, and is used by the repository manager to extract a username from this attribute. An example value is ${dn}.

If your installation does not use static groups, you can configure the LDAP connection to refer to an attribute on the user entry to derive group membership. To do this, select Dynamic Groups in the Group type drop-down.

5411038.png

Figure: Dynamic Group Element Mapping

Dynamic groups are configured via the Group member of attribute parameter. The repository manager inspects this attribute of the user entry to get a list of groups of which the user is a member. In this configuration, seen in Figure: “Dynamic Group Element Mapping”, a user entry would have an attribute that would contain the name of a group, such as memberOf.

Once you have configured the user and group settings on the Choose Users and Groups form, you can check the correctness of your user mapping by pressing the Verify user mapping button. A successful mapping will result in the retrieval of a list of user records, which will be shown in the User Mapping Test Result dialog. Note that the user mapping result dialog is limited to 20 records. You can go to "security → users" in the administration UI and search in the LDAP realm to search for specific users and verify their information.

The repository manager provides you with the ability to test a user log in directly. To test a user log in, go to the Choose Users and Groups page after all appropriate field inputs of the form are filled. Scroll to the bottom and click the Verify login button.

The Verify login button can be used to check if authentication and user/group mappings work as expected for a specific user account besides the global account used for the LDAP configuration.

After the successful configuration of your LDAP connection and user and group mappings, you can proceed to configure external role mappings and assign them to users. This allows you to define the repository manager-specific security for an LDAP group.

More details are available in Roles and Users.

Improve LDAP Performance for External Role Mapping

The UI for mapping external LDAP roles shows matching roles after 3 characters have been entered, by default. When there are a large number of LDAP roles or too many roles starting with the same 3 characters, the roles dropdown may experience poor performance degrading the user experience.

The following property is used to set the limit for the number of characters that need to be typed before any existing LDAP-mapped roles are shown in the drop-down.

Add the property and desired value to your nexus.properties configuration and restart the server:

nexus.ldap.mapped.role.query.character.limit=3

Security

Full ability to view and edit this page is granted by the nx-ldap-all Privilege. Granular privileges to read, update, create and delete are also available. In order to Clear cache and Change order the update (or all) privilege is required.