Repository Management with Nexus

8.5. User and Group Mapping

The LDAP Configuration panel in Nexus Open Source contains sections to manage User Element Mapping and Group Element Mapping in the User and Group Settings tab. These configuration sections are located in a separate panel called User and Group Settings in Nexus Professional. This panel provided a User & Group Templates drop down displayed in Figure 8.3, “User & Group Templates Selection Drop Down” that will adjust the rest of the user interface based on your template selection.

figs/web/ldap_user_group_templates.png

Figure 8.3. User & Group Templates Selection Drop Down


The User Element Mapping displayed in Figure 8.4, “User Element Mapping” has been prepopulated by the Active Directory selection in the template drop down and needs to be configured as required by your LDAP server. The available fields are:

Base DN
Corresponds to the Base DN containing user entries. This DN is going to be relative to the Search Base which was specified in Figure 8.2, “A Simple LDAP Connection and Authentication Setup”. For example, if your users are all contained in ou=users,dc=sonatype,dc=com and you specified a Search Base of dc=sonatype,dc=com you would use a value of ou=users
User Subtree
True if there is a tree below the Base DN which can contain user entries. False if all users are contain within the specified Base DN. For example, if all users are in ou=users,dc=sonatype,dc=com this field should be false. If users can appear in organizational units within organizational units such as ou=development,ou=users,dc=sonatype,dc=com this field should be true.
Object Class
This value defaults to inetOrgPerson which is a standard object class defined in RFC 2798. inetOrgPerson contains standard fields such as mail, uid. Other possible values are posixAccount or a custom class.
User ID Attribute
This is the attribute of the Object class which supplies the User ID. Nexus will use this attribute as the Nexus User ID.
Real Name Attribute
This is the attribute of the Object class which supplies the real name of the user. Nexus will use this attribute when it needs to display the real name of a user.
E-Mail Attribute
This is the attribute of the Object class which supplies the email address of the user. Nexus will use this attribute when it needs to send an email to a user.
Password Attribute
This control is only available in Nexus Open Source and replaced by the Use Password Attribute section from ??? in Nexus Professional. It can be used to configure the Object class, which supplies the password ("userPassword").
figs/web/ldap_user_element_mapping.png

Figure 8.4. User Element Mapping


Once the checkbox for Use Password Attribute has been selected, the interface from ??? allows you to configure the optional attribute. When not configured authentication will occur as a bind to the LDAP server. Otherwise this is the attribute of the Object class which supplies the password of the user. Nexus will use this attribute when it is authenticating a user against an LDAP server.

figs/web/ldap_use_password_attribute.png

The Group Type drop down displayed in Figure 8.5, “Dynamic Group Element Mapping” and Figure 8.6, “Static Group Element Mapping” determines, which fields are available in the user interface. Groups are generally one of two types in LDAP systems - static or dynamic. A static group contains a list of users. A dynamic group is where the user contains a list of groups the user belongs to. In LDAP a static group would be captured in an entry with an Object class groupOfUniqueNames which contains one or more uniqueMember attributes. In a dynamic group configuration, each user entry in LDAP contains an attribute which lists group membership.

figs/web/ldap_group_element_mapping_dynamic.png

Figure 8.5. Dynamic Group Element Mapping


Dynamic groups are configured via the Member of Attribute parameter. Nexus will inspect this attribute of the user entry to get a list of groups that the user is a member of. In this configuration, a user entry would have an attribute such as memberOf which would contain the name of a group.

figs/web/ldap_group_element_mapping_static.png

Figure 8.6. Static Group Element Mapping


Static groups are configured with the following parameters:

Base DN
This field is similar to the Base DN field described for User Element Mapping. If your groups were defined under "ou=groups,dc=sonatype,dc=com", this field would have a value of "ou=groups"
Group Subtree
This field is similar to the User Subtree field described for User Element Mapping. If all groups are defined under the entry defined in Base DN, this field should be false, if a group can be defined in a tree of organizational units under the Base DN, this field should be true.
Object Class
This value defaults to groupOfUniqueNames which is a standard object class defined in RFC 4519 groupOfUniqueNames is simply a collection of references to unique entries in an LDAP directory and can be used to associate user entries with a group. Other possible values are posixGroup or a custom class.
Group ID Attribute
Specifies the attribute of the Object class which specifies the Group ID. If the value of this field corresponds to the ID of a Nexus Role, members of this group will have the corresponding Nexus privileges. Defaults to cn.
Group Member Attribute
Specifies the attribute of the Object class which specifies a member of a group. A groupOfUniqueNames has multiple uniqueMember attributes for each member of a group. Defaults to "uniqueMember".
Group Member Format
This field captures the format of the Group Member Attribute and it is used by Nexus to extract a username from this attribute. For example, if the Group Member Attribute has the format uid=brian,ou=users,dc=sonatype,dc=com, then the Group Member Format would be uid=$username,ou=users,dc=sonatype,dc=com. If the Group Member Attribute had the format brian, then the Group Member Format would be $username.

If your installation does not use Static Groups, you can configure Nexus LDAP Integration to refer to an attribute on the User entry to derive group membership. To do this, select Dynamic Groups in the Group Type field in Group Element Mapping.

Once you have configured the User & Group Settings you can check the correctness of you user mapping by pressing the Check User Mapping button visible in Figure 8.6, “Static Group Element Mapping”.

Nexus Professional offers a button Check Login to check an individual users login and can be used as documented in Section 8.11.5, “Testing a User Login”.

Press the Save button after successful configuration.