Repository Management with Nexus


8.9. Mapping Nexus Roles for External Users

If you are unable to map all of the Nexus roles to LDAP groups, you can always augment the role information by adding a specific user-role mapping for an external LDAP user in Nexus. In other words, if you need to make sure that a specific user in LDAP gets a specific Nexus role and you don’t want to model this as a group membership, you can add a role mapping for an external user in Nexus.

Nexus will keep track of this association independent of your LDAP server. Nexus continues to delegate authentication to the LDAP server for this user. Nexus will continue to map the user to Nexus roles based on the group element mapping you have configured, but Nexus will also add any roles specified in the User panel. You are augmenting the role information that Nexus gathers from the group element mapping.

Once the user and group mapping has been configured, click on the Users link under Security in the Nexus menu. The Users tab is going to contain all of the configured users for this Nexus instance as shown in Figure 8.8, “Viewing All Configured Users”. A configured user is a user in a Nexus-managed realm or an External User that has an explicit mapping to a Nexus role. In Figure 8.8, “Viewing All Configured Users”, you can see the three default users in the Nexus-managed default realm plus the brian user from LDAP. The brian user appears because this user has been mapped to a Nexus role.


Figure 8.8. Viewing All Configured Users

The list of users in Figure 8.8, “Viewing All Configured Users” is a combination of all of the users in the Nexus default realm and all of the External Users with role mappings. To explore these two sets of users, click on the All Configured Users drop-down and choose Default Realm Users. Once you select this, click in the search field and press Enter. Searching with a blank string in the Users panel will return all of the users of the selected type. In Figure 8.9, “All Default Realm Users” you see a dialog containing all three default users from the Nexus default realm.


Figure 8.9. All Default Realm Users

If you wanted to see a list of all LDAP users, select LDAP from the All Configured Users drop-down shown in Figure 8.8, “Viewing All Configured Users” and click on the search button (magnifying glass) with an empty search field. Clicking search with an empty search field will return all of the LDAP users as shown in Figure 8.10, “All LDAP Users”.


Note that the user tobrien does not show up in the All Configured Users list. This is by design. Nexus is only going to show you information about users with external role mappings. If an organization has an LDAP directory with thousands of developers, Nexus doesn’t need to retain any configuration information for users that don’t have custom Nexus role mappings.


Figure 8.10. All LDAP Users

To add a mapping for an external LDAP user, you would click on the All Configured Users drop-down and select LDAP. Once you’ve selected LDAP, type in the user ID you are searching for and click the search button (magnifying glass icon to right of the search field). In Figure 8.11, “Search LDAP Users”, a search for "brian" yields one user from the LDAP server.


Figure 8.11. Search LDAP Users

To add a Nexus role mapping for the external user brian shown in Figure 8.11, “Search LDAP Users”, click on the user in the results table and drag a role from Available Roles to Selected Roles as shown in Figure 8.12, “Mapping the Deployment Role to an External User”. In this case, the user "brian" is mapped to the Administrative group by virtue of his membership in an "admin" group in the LDAP server. In this use case, a Nexus administrator would like to grant Brian the Deployment Role without having to create a LDAP group for this role and modifying his group memberships in LDAP


Figure 8.12. Mapping the Deployment Role to an External User

The end result of this operation is to augment the Group-Role mapping that is provided by the LDAP integration. You can use LDAP groups to manage coarse-grained permissions to grant people administrative privileges and developer roles, and if you need to perform more targeted privilege assignments in Nexus you can Map LDAP users to Nexus roles with the techniques shown in this section.