Light Weight Directory Protocol, also known more commonly as LDAP, provides both a protocol and a directory for storing user information. In some ways LDAP has become a ubiquitous part of most organizations' efforts to create a single sign on environment, as well as streamline user management for various applications. While we will cover some LDAP basics, the information provided here is limited and should not be considered a full reference.
A single LDAP realm is supported, which simply means it is limited to a single LDAP server. This connection is configured via the IQ Server. There are essentially two parts to integrating with LDAP:
Our setup instructions provide an example using the Active Directory format, and represent only the most basic approach. What we provide in this chapter assumes a simple authentication method for LDAP. However, in a standard installation, you would likely not want to use Simple Authentication as it sends the password in clear text over the network. Additionally, we have indicated a search base which corresponds to our organization’s top-level domain components "dc=sonatype,dc=com". The structure can vary greatly based on your own LDAP server configuration.
Once the LDAP server is configured and user attributes have been mapped, both LDAP users and users created in the IQ Server realm will be able to login. |
The first step is to configure the LDAP Server connection. These instructions are pretty straightforward as long as you have the necessary information. For this example, let’s assume we have been provided the following:
Server Name |
Test LDAP Server |
Protocol |
LDAP |
Hostname |
wind-son04 |
Port |
389 |
Search Base |
dc=sonatype,dc=com |
Authentication Type |
Simple |
Username |
testuser |
Password |
tester |
The information provide will not allow you to access an LDAP server, and is provided just for demonstration purposes. In addition, this is only a representation of a simple connection. For an explanation of all available parameters, please see the next section. |
Now, access the IQ Server:
Using the information from the table above, our configuration should look something like this:
If at any point you wish to reset the form, click the reset button and any value that have been entered will be removed. |
As mentioned, the example above is a basic setup. Given this, there are a number of parameters not utilized. This section provides descriptions for all available parameters that can be configured in the Connection section of the LDAP Configuration area on the IQ Server. When applicable, required fields have been noted.
Four distinct authentication methods can be used when connecting to the LDAP Server:
Two configuration options are available.
Once the LDAP Server has been configured, you can map information attributes of an LDAP user. Similar to configuring the LDAP Server, this will require that you have information related to the location of various user attributes. Here is a sample set of data, that you would likely see:
Base DN |
cn=users |
Object Class |
user |
Username Attribute |
sAMAccountName |
Real Name Attribute |
cn |
Email Attribute |
|
Once you have gathered this information, access the IQ Server LDAP Configuration:
If at any point you wish to reset the form, click the reset button; Any values that have been entered will be removed. |
Using the information from the table above, our configuration would look like this:
As mentioned, the example above is a basic setup. Specifically, we do not turn on the User Subtree option or utilize the User Filter. Descriptions for those fields, as well as all available parameters for mapping LDAP User Attributes, have been provided below. When applicable, required fields have been noted.
In most LDAP implementations users are collected into various groups. This allows for better organization of a larger numbers of users, as well as provides a mechanism to isolate particular groups for specific permissions and integration into other systems. If LDAP groups are not mapped, all LDAP users will be pulled in from the Base DN. This isn’t so much an issue for a small number of users. However, for larger ones it may be a concern and might grant unintended access.
As we’ve done with the other configuration areas, let’s look at a sample set of data. In example below we’ll be configuring a static LDAP group.
Group Type |
Static |
Base DN |
ou=groups |
Object Class |
group |
Group ID Attribute |
sAMAccountName |
Group Member Attribute |
member |
Group Member Format |
Once you have gathered this information, access the LDAP Configuration area on the IQ Server:
If at any point you wish to reset the form, click the reset button; Any values that have been entered will be removed. |
Using the information from the table above our configuration would look like this:
Groups are generally one of two types in LDAP systems - static or dynamic. A static group contains a list of users. A dynamic group is where the user contains a list of groups the user belongs to. In LDAP a static group would be captured in an entry with an Object class groupOfUniqueNames which contains one or more uniqueMember attributes. In a dynamic group configuration, each user entry in LDAP contains an attribute which lists group membership. This means the available parameters will be different based on whether you’ve chosen static or dynamic.
Static groups are preferred over dynamic ones, and will generally perform better if you have a large number of LDAP users. |
Static groups are configured with the following parameters:
uid=brian,ou=users,dc=sonatype,dc=com
, then the
Group Member Format would be uid=${username},ou=users,dc=sonatype,dc=com
. If
the Group Member Attribute had the format "brian", then the Group Member Format
would be ${username}
.
If your installation does not use Static Groups, you can configure LDAP integration to refer to an attribute on the User entry to derive group membership. To do this, select Dynamic Groups in the Group Type field in Group Element Mapping.
Dynamic groups are configured via the Member of Attribute parameter. This attribute of the user entry will provide list of LDAP groups that the user is a member of. In this configuration, a user entry would have an attribute such as memberOf which would contain the name of a group.
Depending on the size of your enterprise, LDAP search could be slow. If you find this is the case, uncheck the option to "Include in Search". This will exclude groups from search results when assigning users to roles. Searching for users will remain unaffected. |
It’s easy to make a typo, or even have entered the wrong information when mapping LDAP users or groups. There are a number of tools provided within the LDAP configuration area to assist in making sure everything has been mapped correctly. Each of these is discussed below.
Testing the LDAP connection is the first step. If you can’t connect to your LDAP server, user and group mapping will fail as well.
Making sure that usernames, real names, email addresses, and groups have been mapped correctly can be verified with the Check User Mapping.
Terms of Service Privacy Policy
Copyright ©
2008-present, Sonatype Inc. All rights reserved. Includes the
third-party code listed here. Sonatype and Sonatype Nexus are trademarks
of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache
Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation.
All other trademarks are the property of their respective owners.
Sonatype Headquarters - 8161
Maple Lawn Blvd #250, Fulton, MD 20759
Tysons Office - 8251 Greensboro Drive #610, McLean, VA
22102
Australia Office - 5 Martin Place, Level 14, Sydney 2000, NSW, Australia