Repository Management with Nexus
8.5. User and Group Mapping
The LDAP Configuration panel in Nexus Open Source contains sections to manage User Element Mapping and Group Element Mapping in the User and Group Settings tab. These configuration sections are located in a separate panel called User and Group Settings in Nexus Professional. This panel provided a User & Group Templates drop down displayed in Figure 8.5, “User & Group Templates Selection Drop Down” that will adjust the rest of the user interface based on your template selection.
The User Element Mapping displayed in Figure 8.6, “User Element Mapping” has been prepopulated by the Active Directory selection in the template drop down and needs to be configured as required by your LDAP server. The available fields are:
- Base DN
- Corresponds to the Base DN containing user entries. This DN is going to be relative to the Search Base which was specified in Figure 8.4, “A Simple LDAP Connection and Authentication Setup”. For example, if your users are all contained in "ou=users,dc=sonatype,dc=com" and you specified a Search Base of "dc=sonatype,dc=com" you would use a value of "ou=users"
- User Subtree
- True if there is a tree below the Base DN which can contain user entries. False if all users are contain within the specified Base DN. For example, if all users are in "ou=users,dc=sonatype,dc=com" this field should be false. If users can appear in organizational units within organizational units such as "ou=development,ou=users,dc=sonatype,dc=com" this field should be true.
- Object Class
- This value defaults to inetOrgPerson which is a standard object class defined in RFC 2798. inetOrgPerson contains standard fields such as mail, uid. Other possible values are posixAccount or a custom class.
- User ID Attribute
- This is the attribute of the Object class which supplies the User ID. Nexus will use this attribute as the Nexus User ID.
- Real Name Attribute
- This is the attribute of the Object class which supplies the real name of the user. Nexus will use this attribute when it needs to display the real name of a user.
- E-Mail Attribute
- This is the attribute of the Object class which supplies the email address of the user. Nexus will use this attribute when it needs to send an email to a user.
- Password Attribute
- This control is only available in Nexus Open Source and replaced by the Use Password Attribute section from ??? in Nexus Professional. It can be used to configure the Object class, which supplies the password ("userPassword").
Once the checkbox for Use Password Attribute has been selected, the interface from ??? allows you to configure the optional attribute. When not configured authentication will occur as a bind to the LDAP server. Otherwise this is the attribute of the Object class which supplies the password of the user. Nexus will use this attribute when it is authenticating a user against an LDAP server.
The Group Type drop down displayed in Figure 8.7, “Dynamic Group Element Mapping” and Figure 8.8, “Static Group Element Mapping” determines, which fields are available in the user interface. Groups are generally one of two types in LDAP systems - static or dynamic. A static group contains a list of users. A dynamic group is where the user contains a list of groups the user belongs to. In LDAP a static group would be captured in an entry with an Object class groupOfUniqueNames which contains one or more uniqueMember attributes. In a dynamic group configuration, each user entry in LDAP contains an attribute which lists group membership.
Dynamic groups are configured via the Member of Attribute parameter. Nexus will inspect this attribute of the user entry to get a list of groups that the user is a member of. In this configuration, a user entry would have an attribute such as memberOf which would contain the name of a group.
Static groups are configured with the following parameters:
- Base DN
- This field is similar to the Base DN field described for User Element Mapping. If your groups were defined under "ou=groups,dc=sonatype,dc=com", this field would have a value of "ou=groups"
- Group Subtree
- This field is similar to the User Subtree field described for User Element Mapping. If all groups are defined under the entry defined in Base DN, this field should be false, if a group can be defined in a tree of organizational units under the Base DN, this field should be true.
- Object Class
- This value defaults to groupOfUniqueNames which is a standard object class defined in RFC 4519 groupOfUniqueNames is simply a collection of references to unique entries in an LDAP directory and can be used to associate user entries with a group. Other possible values are posixGroup or a custom class.
- Group ID Attribute
- Specifies the attribute of the Object class which specifies the Group ID. If the value of this field corresponds to the ID of a Nexus Role, members of this group will have the corresponding Nexus privileges. Defaults to "cn".
- Group Member Attribute
- Specifies the attribute of the Object class which specifies a member of a group. A groupOfUniqueNames has multiple uniqueMember attributes for each member of a group. Defaults to "uniqueMember".
- Group Member Format
- This field captures the format of the Group Member Attribute and it is used by Nexus to extract a username from this attribute. For example, if the Group Member Attribute has the format "uid=brian,ou=users,dc=sonatype,dc=com", then the Group Member Format would be "uid=$username,ou=users,dc=sonatype,dc=com". If the Group Member Attribute had the format "brian", then the Group Member Format would be "$username".
If your installation does not use Static Groups, you can configure Nexus LDAP Integration to refer to an attribute on the User entry to derive group membership. To do this, select Dynamic Groups in the Group Type field in Group Element Mapping.
Once you have configured the User & Group Settings you can check the correctness of you user mapping by pressing the Check ser Mapping button visible in Figure 8.8, “Static Group Element Mapping”.
Nexus Professional offers a button "Check Login" to check an individual users login and can be used as documented in Section 8.11.5, “Testing a User Login”.
Press the Save button after successful configuration.