If you are unable to map all of the Nexus roles to LDAP groups, you can always augment the Role information by adding a specific user-role mapping for an external LDAP user in Nexus. In other words, if you need to make sure that a specific user in LDAP gets a specific Nexus role and you don't want to model this as a group membership, you can add a role mapping for an external user in Nexus. Nexus will keep track of this association independent of your LDAP server. Nexus continues to delegate authentication to the LDAP server for this user, Nexus will continue to map the user to Nexus roles based on the group element mapping you have configured, but Nexus will also add any roles specified in the User panel. You are augmenting the role information that Nexus gathers from the group element mapping.

Once the User and Group Mapping has been configured, click on the Users link under Security in the Nexus menu. The Users tab is going to contain all of the "configured" users for this Nexus instance as shown in Figure 7.9, “Viewing All Configured Users”. A configured user is a user in a Nexus-managed Realm or an External User which has an explicit mapping to a Nexus role. In Figure 7.9, “Viewing All Configured Users”, you can see the three default users in the Nexus-managed default realm plus the brian user from LDAP. The brian user appears because this user has been mapped to a Nexus role.

The list of users in Figure 7.9, “Viewing All Configured Users” is a combination of all of the users in the Nexus default realm and all of the External Users with role mappings. To explore these two sets of users, click on the All Configured Users dropdown and choose "Default Realm Users". Once you select this, click in the search field and press Enter. Searching with a blank string in the Users panel will return all of the users of the selected type. In Figure 7.10, “All Default Realm Users” you see a dialog containing all three default users from the Nexus default realm.

If you wanted to see a list of all LDAP users, select "LDAP" from the "All Configured Users" dropdown shown in Figure 7.9, “Viewing All Configured Users” and click on the search button (magnifying glass) with an empty search field. Clicking search with an empty search field will return all of the LDAP users as shown in Figure 7.11, “All LDAP Users”.

To add a mapping for an external LDAP user, you would click on the "All Configured Users" dropdown and select LDAP. Once you've selected LDAP, type in the user ID you are searching for and click the search button (magnifying glass icon to right of the search field). In Figure 7.12, “Search LDAP Users”, a search for "brian" yields one user from the LDAP server.

To add a Nexus role mapping for the external user "brian" shown in Figure 7.12, “Search LDAP Users”, click on the user in the results table and drag a role from Available Roles to Selected Roles as shown in Figure 7.13, “Mapping the Deployment Role to an External User”. In this case, the user "brian" is mapped to the Administrative group by virtue of his membership in an "admin" group in the LDAP server. In this use case, a Nexus administrator would like to grant Brian the Deployment Role without having to create a LDAP group for this role and modifying his group memberships in LDAP.

The end result of this operation is to augment the Group-Role mapping that is provided by the LDAP integration. You can use LDAP groups to manage coarse-grained permissions to grant people administrative privileges and developer roles, and if you need to perform more targeted privilege assignments in Nexus you can Map LDAP users to Nexus roles with the techniques shown in this section.

Nexus makes it very straightforward to map an external role to an internal Nexus role. This is something you would do, if you want to grant every member of an externally managed group (such as an LDAP group) an certain privilege in Nexus. For example, assume that you have a group in LDAP named "svn" and you want to make sure that everyone in the "svn" group has Nexus Administrative privileges. To do this, you would click on the Add.. dropdown in the Role panel as shown in Figure 7.14, “Selecting External Role Mapping in the Role Management Panel”. This dropdown can be found in the Role management panel which is opened by click on Roles in the Security menu.

Selecting External Role Mapping under Add... will show you a dialog which contains a dropdown of External Realms. Selecting an external realm such as LDAP will then bring up a list of roles managed by that external realm. The dialog shown in Figure 7.15, “Selecting an Externally Managed Role to Map to a Nexus Role” shows the external realm LDAP selected and the role "svn" being selected to map to a Nexus role.

Once the external role has been selected, Nexus will create a corresponding Nexus Role. You can then assign other Roles to this new externally mapped Role. Figure 7.16, “Mapping an External Role to a Nexus Role” shows that the SVN role from LDAP is being assigned the Nexus Administrator Role. This means that any user that is authenticated against the external LDAP Realm who is a member of the svn LDAP group will be assigned a role that maps to the Nexus Administrator Role.