Logo Sonatype CLM Step 3 - Security Administration
Documentation Index
Sonatype CLM Downloads
Document Descriptions
Release Notes

Sonatype CLM Server
Installation and Deployment Guide
Security Administration Guide
Policy Management Guide
Report User Guide

CI User Guide

IDE User Guide

Repository Manager User Guide

Nine Steps For Open Source Governance
Optimized Component Lifecycle Management with Sonatype CLM

Step 3 - Security Administration

3.6. LDAP Group Parameters

Groups are generally one of two types in LDAP systems - static or dynamic. A static group contains a list of users. A dynamic group is where the user contains a list of groups the user belongs to. In LDAP a static group would be captured in an entry with an Object class groupOfUniqueNames which contains one or more uniqueMember attributes. In a dynamic group configuration, each user entry in LDAP contains an attribute which lists group membership. This means the available parameters will be different based on whether you’ve chosen static or dynamic.

Tip

Static groups are preferred over dynamic ones, and will generally perform better if you have a large number of LDAP users.

3.6.1. Static Groups

Static groups are configured with the following parameters:

Base DN (required)
This field is similar to the Base DN field described for User Element Mapping. If your groups were defined under "ou=groups,dc=sonatype,dc=com", this field would have a value of "ou=groups"
Group Subtree
This field is similar to the User Subtree field described for User Element Mapping. If all groups are defined under the entry defined in Base DN, this field should not be selected. If a group can be defined in a tree of organizational units under the Base DN, this field should be selected.
Object Class (required)
This is a standard object class defined as a collection of references to unique entries in an LDAP directory, and can be used to associate user entries with a group.
Group ID Attribute (required)
This field specifies the attribute of the Object class that defines the Group ID.
Group Member Attribute (required)
This field specifies the attribute of the Object class that defines a member of a group.
Group Member Format (required)
This field captures the format of the Group Member Attribute, and it is used by Sonatype CLM to extract a username from this attribute. For example, if the Group Member Attribute has the format "uid=brian,ou=users,dc=sonatype,dc=com", then the Group Member Format would be "uid=$username,ou=users,dc=sonatype,dc=com". If the Group Member Attribute had the format "brian", then the Group Member Format would be "$username".

3.6.2. Dynamic Groups

If your installation does not use Static Groups, you can configure Sonatype CLM LDAP integration to refer to an attribute on the User entry to derive group membership. To do this, select Dynamic Groups in the Group Type field in Group Element Mapping.

Dynamic groups are configured via the Member of Attribute parameter. Sonatype CLM will inspect this attribute of the user entry to get a list of groups that the user is a member of. In this configuration, a user entry would have an attribute such as memberOf which would contain the name of a group.