Light Weight Directory Protocol, also known more commonly as LDAP, provides both a protocol and a directory for storing user information. In some ways LDAP has become a ubiquitous part of most organizations' efforts to create a single sign on environment, as well as streamline user management for various applications. While we will cover some LDAP basics, the information provided here is limited and should not be considered a full reference.
Sonatype CLM supports a single LDAP realm, which simply means we support connection to a single LDAP server. This connection is configured via the Sonatype CLM Server. There are essentially two parts to integrating Sonatype CLM with LDAP:
Our setup instructions provide an example using the Active directory format, and represent only the most basic approach. What we provide in this chapter assumes a simple authentication method for LDAP. However, on a standard installation of Sonatype CLM, you would likely not want to use Simple Authentication as it sends the password in clear text over the network. Additionally, we have indicated a search base which corresponds to our organization’s top-level domain components "dc=sonatype,dc=com". The structure can vary greatly based on your own LDAP server configuration.
Once the LDAP server is configured and user attributes have been mapped, both LDAP users and users created in the Sonatype CLM Realm will be able to login into Sonatype CLM. |
The first step to establish the LDAP connection is to configure Sonatype CLM to point to your LDAP server. Those instructions are pretty straightforward as long as you have the necessary information. For this example, let’s assume we have been provided the following information:
Server Name |
Test LDAP Server |
Protocol |
LDAP |
Hostname |
wind-son04 |
Port |
389 |
Search Base |
dc=sonatype,dc=com |
Authentication Type |
Simple |
Username |
testuser |
Password |
tester |
The information provide will not allow you to access an LDAP server, and is provided just for demonstration purposes. In addition, this is only a representation of a simple connection. For an explanation of all available parameters, please see the next section. |
Now, access the Sonatype CLM Server:
Using the information from the table above, our configuration should look something like this:
If at any point you wish to reset the form, click the reset button and any value that have been entered will be removed. |
As mentioned, the example above is a basic setup. Given this, there are a number of parameters not utilized. This section provides descriptions for all available parameters that can be configured in the Connection section of the LDAP Configuration area on the Sonatype CLM Server. When applicable, required fields have been noted.
Sonatype CLM provides four distinct authentication methods to be used when connecting to the LDAP Server:
Once the LDAP Server has been configured, you can map information attributes of an LDAP user to match those of Sonatype CLM. Similar to configuring the LDAP Server, this will require that you have information related to the location of various user attributes. Here is a sample set of data, that you would likely see:
Base DN |
cn=users |
Object Class |
user |
Username Attribute |
sAMAccountName |
Real Name Attribute |
cn |
Email Attribute |
|
Once you have gathered this information, access the Sonatype CLM Server LDAP Configuration:
If at any point you wish to reset the form, click the reset button; Any values that have been entered will be removed. |
Using the information from the table above, our configuration would look like this:
As mentioned, the example above is a basic setup. Specifically, we do not turn on the User Subtree option or utilize the User Filter. Descriptions for those fields, as well as all available parameters for mapping LDAP User Attributes to Sonatype CLM have been provided below. When applicable, required fields have been noted.
In most LDAP implementations users are collected into various groups. This allows for better organization of a larger numbers of users, as well as provides a mechanism to isolate particular groups for specific permissions and integration into other systems such as Sonatype CLM. If LDAP groups are not mapped, Sonatype CLM will pull in all users from the Base DN. This isn’t so much an an issue for a small number of users. However, for larger ones it may be a concern and might grant unintended access.
As we’ve done with the other configuration areas, let’s look at a sample set of data. In example below we’ll be configuring a static LDAP group.
Group Type |
Static |
Base DN |
ou=groups |
Object Class |
group |
Group ID Attribute |
sAMAccountName |
Group Member Attribute |
member |
Group Member Format |
Once you have gathered this information, access the Sonatype CLM Server LDAP Configuration:
If at any point you wish to reset the form, click the reset button; Any values that have been entered will be removed. |
Using the information from the table above our configuration would look like this:
Groups are generally one of two types in LDAP systems - static or dynamic. A static group contains a list of users. A dynamic group is where the user contains a list of groups the user belongs to. In LDAP a static group would be captured in an entry with an Object class groupOfUniqueNames which contains one or more uniqueMember attributes. In a dynamic group configuration, each user entry in LDAP contains an attribute which lists group membership. This means the available parameters will be different based on whether you’ve chosen static or dynamic.
Static groups are preferred over dynamic ones, and will generally perform better if you have a large number of LDAP users. |
Static groups are configured with the following parameters:
uid=brian,ou=users,dc=sonatype,dc=com
, then the Group Member Format
would be uid=${username},ou=users,dc=sonatype,dc=com
. If the Group
Member Attribute had the format "brian", then the Group Member Format
would be ${username}
.
If your installation does not use Static Groups, you can configure Sonatype CLM LDAP integration to refer to an attribute on the User entry to derive group membership. To do this, select Dynamic Groups in the Group Type field in Group Element Mapping.
Dynamic groups are configured via the Member of Attribute parameter. Sonatype CLM will inspect this attribute of the user entry to get a list of groups that the user is a member of. In this configuration, a user entry would have an attribute such as memberOf which would contain the name of a group.
Depending on the size of your enterprise, LDAP search could be slow. If you find this is the case, uncheck the option to "Include in Search". This will exclude groups from search results when assigning users to roles. Searching for users will remain unaffected. |
It’s easy to make a typo, or even have entered the wrong information when mapping LDAP users or groups. There are a number of tools provided within the LDAP configuration area to assist in making sure everything has been mapped correctly. Each of these is discussed below.
Testing the LDAP connection is the first step. If you can’t connect to your LDAP server, user and group mapping will fail as well.
Making sure that usernames, real names, email addresses, and groups have been mapped correctly can be verified with the Check User Mapping.
Terms of Service Privacy Policy
Copyright ©
2008-present, Sonatype Inc. All rights reserved. Includes the
third-party code listed here. Sonatype and Sonatype Nexus are trademarks
of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache
Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation.
All other trademarks are the property of their respective owners.
Sonatype Headquarters - 8161
Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8251 Greensboro Drive #610, McLean, VA
22102
Australia Office - 5 Martin Place, Level 14, Sydney 2000, NSW, Australia