The LDAP Configuration panel in Nexus Repository Manager OSS contains sections to manage User Element Mapping and Group Element Mapping in the User and Group Settings tab. These configuration sections are located in a separate panel called User and Group Settings in Nexus Repository Manager. This panel provided a User & Group Templates drop-down displayed in Figure 8.3, “User and Group Templates Selection Drop Down” that will adjust the rest of the user interface based on your template selection.
The User Element Mapping displayed in Figure 8.4, “User Element Mapping” has been prepopulated by the Active Directory selection in the template drop-down and needs to be configured as required by your LDAP server. The available fields are:
- Base DN
Corresponds to the Base DN containing user entries. This DN
is going to be relative to the Search Base, specified in
Figure 8.2, “A Simple LDAP Connection and Authentication Setup”. For example, if your users are
all contained in
ou=users,dc=sonatype,dc=comand you specified a Search Base of
dc=sonatype,dc=com, you would use a value of
- User Subtree
Values are True if there is a tree below the Base DN that can
contain user entries and False if all users are contain within the
specified Base DN. For example, if all users are in
ou=users,dc=sonatype,dc=comthis field should be False. If users can appear in organizational units within organizational units such as
ou=development,ou=users,dc=sonatype,dc=com, this field should be True.
- Object Class
- This value defaults to inetOrgPerson which is a standard object class defined in RFC 2798. This Object Class (inetOrgPerson) contains standard fields such as mail, uid. Other possible values are posixAccount or a custom class.
- User ID Attribute
- This is the attribute of the Object class that supplies the User ID. The repository manager uses this attribute as the User ID.
- Real Name Attribute
- This is the attribute of the Object class that supplies the real name of the user. The repository manager uses this attribute when it needs to display the real name of a user.
- E-Mail Attribute
- This is the attribute of the Object class that supplies the email address of the user. The repository manager uses this attribute when it needs to send an email to a user.
- Password Attribute
- This control is only available in Nexus Repository Manager OSS and replaced by the Use Password Attribute section from Figure 8.5, “Password Attribute” in Nexus Repository Manager. It can be used to configure the Object class, which supplies the password ("userPassword").
Once the checkbox for Use Password Attribute has been selected, the interface from Figure 8.5, “Password Attribute” allows you to configure the optional attribute. When not configured authentication will occur as a bind to the LDAP server. Otherwise this is the attribute of the Object class that supplies the password of the user. The repository manager uses this attribute when it is authenticating a user against an LDAP server.
The Group Type drop-down displayed in Figure 8.6, “Dynamic Group Element Mapping” and Figure 8.7, “Static Group Element Mapping” determines which fields are available in the user interface. Groups are generally one of two types in LDAP systems - static or dynamic. A static group contains a list of users. A dynamic group is a list of groups to which user belongs. In LDAP a static group would be captured in an entry with an Object class groupOfUniqueNames that contains one or more uniqueMember attributes. In a dynamic group configuration, each user entry in LDAP contains an attribute that lists group membership.
Dynamic groups are configured via the Member of Attribute parameter. the repository manager inspects this attribute of the user entry to get a list of groups of which the user is a member. In this configuration, a user entry would have an attribute that would contain the name of a group, such as memberOf.
Static groups are configured with the following parameters:
- Base DN
This field is similar to the Base DN field described for
User Element Mapping. If your groups were defined under
ou=groups,dc=sonatype,dc=com, this field would have a value of
- Group Subtree
- This field is similar to the User Subtree field described for User Element Mapping. If all groups are defined under the entry defined in Base DN, this field should be false. If a group can be defined in a tree of organizational units under the Base DN, then the field should be true.
- Object Class
- This value defaults to groupOfUniqueNames which is a standard object class defined in RFC 4519. This default (groupOfUniqueNames) is simply a collection of references to unique entries in an LDAP directory and can be used to associate user entries with a group. Other possible values are posixGroup or a custom class.
- Group ID Attribute
Specifies the attribute of the Object class that specifies the Group ID. If the value of
this field corresponds to the ID of a role, members of this group will have the corresponding privileges. Defaults
- Group Member Attribute
- Specifies the attribute of the Object class which specifies a member of a group. A groupOfUniqueNames has multiple uniqueMember attributes for each member of a group. Defaults to uniqueMember.
- Group Member Format
This field captures the format of the Group Member Attribute, and is used by the
repository manager to extract a username from this attribute. For example, if the Group Member Attribute has the
uid=brian,ou=users,dc=sonatype,dc=com, then the Group Member Format would be
uid=$username,ou=users,dc=sonatype,dc=com. If the Group Member Attribute had the format
brian, then the Group Member Format would be
If your installation does not use Static Groups, you can configure LDAP Integration to refer to an attribute on the User entry to derive group membership. To do this, select Dynamic Groups in the Group Type field in Group Element Mapping.
Once you have configured the User & Group Settings you can check the correctness of your user mapping by pressing the Check User Mapping button visible in Figure 8.7, “Static Group Element Mapping”.
Nexus Repository Manager offers a button Check Login to check an individual users login and can be used as documented in Section 8.11.5, “Testing a User Login”.
Press the Save button after successful configuration.