Figure 8.2, “A Simple LDAP Connection and Authentication Setup” shows a simplified LDAP
configuration for Nexus configured to connect to an LDAP server
running on localhost port 10389 using the search base of
ou=system. On a more standard installation, you would likely not
want to use Simple Authentication as it sends the password in clear
text over the network, and you would also use a search base that
corresponds to your organization’s top-level domain components such as
The following parameters can be configured in the Connection and Authentiation sections of the LDAP Configuration panel.
Valid values in this drop-down are
ldapsthat correspond to the Lightweight Directory Access Protocol and the Lightweight Directory Access Protocol over SSL.
- The hostname or IP address of the LDAP.
- The port on which the LDAP server is listening. Port 389 is the default port for the ldap protocol, and port 636 is the default port for the ldaps.
- Search Base
The search base is the Distinguished Name (DN) to be
appended to the LDAP query. The search base usually corresponds to the
domain name of an organization. For example, the search base on the
Sonatype LDAP server could be
- Authentication Method
Nexus provides four distinct authentication methods to be used when connecting to the LDAP Server:
- Simple Authentication
- Simple authentication is not recommended for production deployments not using the secure ldaps protocol as it sends a clear-text password over the network.
- Anonymous Authentication
- Used when Nexus only needs read-only access to non protected entries and attributes when binding to the LDAP.
- This is an improvement on the CRAM-MD5 authentication method. For more information, see http://www.ietf.org/rfc/rfc2831.txt.
- The Challenge-Response Authentication Method (CRAM) is based on the HMAC-MD5 MAC algorithm. In this authentication method, the server sends a challenge string to the client. The client responds with a username followed by a Hex digest that the server compares to an expected value. For more information, see RFC 2195.
- SASL Realm
- The Simple Authentication and Security Layer (SASL) realm used to connect. It is only available if the authentication method is Digest-MD5 or CRAM-MD5.
- Username of an LDAP user with which to connect (or bind). This is a Distinguished Name of a user who has read access to all users and groups.
- Password for an administrative LDAP user.