7.2. Configuring Nexus LDAP Integration  TOC  7.4. User and Group Mapping

7.3. Connection and Authentication

Figure 7.4 shows Nexus configured to hit an LDAP server running on localhost port 10389 using the search base of "ou=system". On a more standard installation, you would likely not want to use Simple Authentication as it sends the password in clear text over the network, and you would also use a search base which corresponds to your organization's top-level domain components such as "dc=sonatype,dc=com".

Connection and Authentication Configuration for LDAP Integration

Figure 7.4. Connection and Authentication Configuration for LDAP Integration


Table 7.1 and Table 7.2 contain detailed descriptions of the configuration fields in both the Connection and Authentication sections of the LDAP Configuration panel.

Table 7.1. Connection Configuration for LDAP Integration

Field Name Description
Protocol Valid values in this dropdown are ldap and ldaps which correspond to the Lightweight Directory Access Protocol and the Lightweight Directory Access Protocol over SSL.
Hostname The hostname or IP address of the LDAP server.
Port The port on which the LDAP server is listening. Port 389 is the default port for the ldap protocol, and port 636 is the default port for the ldaps protocol.
Search Base The search base is the Distinguished Name (DN) to be appended to the LDAP URL. The search base usually corresponds to the domain name of an organization. For example, the search base on the Sonatype LDAP server is "dc=sonatype,dc=com".

Table 7.2. Authentication Configuration for LDAP Integration

Field Name Description
Authentication Method Nexus provides four distinct authentication methods to be used when connecting to the LDAP Server:
Simple Authentication

Simple authentication is not recommended for production deployments not using the secure ldaps protocol as it sends a cleartext password over the network.

Anonymous Authentication

Used when Nexus only needs read-only access to non-protected entries and attributes when binding to the LDAP server.

Digest-MD5

This is an improvement on the CRAM-MD5 authentication method. For more information, see RFC 2831.

CRAM-MD5

The Challenge-Response Authentication Method (CRAM) based on the HMAC-MD5 MAC algorithm. In this authentication method, the server sends a challenge string to the client, the client responds with a username followed by a Hex digest which the server compares to an expected value. For more information, see RFC 2195.

For a full discussion of LDAP authentication approaches, see RFC 2829 and RFC 2251.

SASL Realm The Simple Authentication and Security Layer (SASL) Realm to connect with. The SASL Realm is only available if the authentication method is Digest-MD5 or CRAM-MD5.
Username Username of an LDAP User to connect (or bind) with. This is a Distinguished Name of a user who has read access to all users and groups
Password Password for an Administrative LDAP User

Prev  Home  Next
7.2. Configuring Nexus LDAP Integration  Sponsored by Sonatype  7.4. User and Group Mapping