The LDAP Configuration panel also contains sections to manage User Element Mapping and Group Element Mapping as shown in Figure 7.5.
The fields for both the User Element Mapping and Group Element Mapping sections are described in detail in Table 7.3 and Table 7.4.
Table 7.3. User Element Mapping Configuration for LDAP Integration
| Field Name | Description |
|---|---|
| Base DN | Corresponds to the Base DN containing user entries. This DN
is going to be relative to the Search Base which was specified in
Figure 7.4. For example, if your users are all
contained in "ou=users,dc=sonatype,dc=com" and
you specified a Search Base of
"dc=sonatype,dc=com" you would use a value of
"ou=users" in this field.
|
| User Subtree | True if there is a tree below the Base DN which can contain
user entries. False if all users are contain within the specified
Base DN. For example, if all users are in
"ou=users,dc=sonatype,dc=com" this field should
be false. If users can appear in organizational units within
organizational units such as
"ou=development,ou=users,dc=sonatype,dc=com"
this field should be true.
|
| Object Class | This value defaults to inetOrgPerson
which is a standard object class defined in RFC 2798.
inetOrgPerson contains standard fields such
as mail, displayName,
uid, sn. Other possible
values are posixAccount or a custom
class.
|
| User ID Attribute | This is the attribute of the Object class which supplies the User ID. Nexus will use this attribute as the Nexus User ID. |
| Real Name Attribute | This is the attribute of the Object class which supplies the real name of the user. Nexus will use this attribute when it needs to display the real name of a user. |
| E-Mail Attribute | This is the attribute of the Object class which supplies the email address of the user. Nexus will use this attribute when it needs to send an email to a user. |
| Password Attribute | This is the attribute of the Object class which supplies the password of the user. Nexus will use this attribute when it is authenticating a user against an LDAP server. |
| Password Encoding | Defines the preferred password encoding mechanism to be used when sending password data to the LDAP server. |
Table 7.4. Group Element Mapping Configuration for LDAP Integration
| Field Name | Description |
|---|---|
| Group Type | Groups are generally one of two types in
LDAP systems - static or dynamic. A static
group contains a list of users. A dynamic group is where the user
contains a list of groups the user belongs to. In
LDAP a static group would be captured in an
entry with an Object class groupOfUniqueNames
which contains one or more uniqueMember
attributes. In a dynamic group configuration, each user entry in
LDAP contains an attribute which lists group
membership.
|
| Base DN | This field is similar to the Base DN field described in
Table 7.3. This field is visible if Static
Groups is selected. If your groups were defined under
"ou=groups,dc=sonatype,dc=com", this field
would have a value of "ou=groups".
|
| Group Subtree | This field is similar to the User Subtree field described in Table 7.3. If all groups are defined under the entry defined in Base DN, this field should be false, if a group can be defined in a tree of organizational units under the Base DN, this field should be true. This field is visible if Static Groups is selected. |
| Object Class | This value defaults to
groupOfUniqueNames which is a standard
object class defined in RFC 4519.
groupOfUniqueNames is simply a collection
of references to unique entries in an LDAP directory and can be
used to associate user entries with a group. Other possible values
are posixGroup or a custom class. This
field is visible if Static Groups is selected.
|
| Group ID Attribute | Specifies the attribute of the Object class which specifies
the Group ID. If the value of this field corresponds to the ID of
a Nexus Role, members of this group will have the corresponding
Nexus privileges. Defaults to "cn". This field
is visible if Static Groups is selected.
|
| Group Member Attribute | Specifies the attribute of the Object class which specifies
a member of a group. A groupOfUniqueNames
has multiple uniqueMember attributes for
each member of a group. Defaults to
"uniqueMember". This field is visible if Static
Groups is selected.
|
| Group Member Format | This field captures the format of the Group Member
Attribute and it is used by Nexus to extract a username from this
attribute. For example, if the Group Member Attribute has the
format "uid=brian,ou=users,dc=sonatype,dc=com",
then the Group Member Format would be
"uid=${username},ou=users,dc=sonatype,dc=com".
If the Group Member Attribute had the format
"brian", then the Group Member Format would be
"${username}". This field is visible if Static
Groups is selected.
|
| Member of Attribute | When Dynamic Groups is selected, Nexus will inspect an
attribute of the user entry to get a list of groups that the user
is a member of. In this configuration, a user entry would have an
attribute such as memberOf which would contain
the name of a group. This field is visible if Dynamic Groups is
selected.
|
If your LDAP installation does not use Static Groups, you can configure Nexus LDAP Integration to refer to an attribute on the User entry to derive group membership. To do this, select Dynamic Groups in the Group Type field in Group Element Mapping. Selecting Dynamic Groups will show a single field named Member of Attribute as shown in Figure 7.6.
When mapping users and groups to an Active Directory installation, try the common configuration values listed in Table 7.6, “User Element Mapping Configuration for Active Directory” and Table 7.7, “Group Element Mapping Configuration for Active Directory”.
Table 7.5. Connection and Authentication Configuration for Active Directory
| Configuration Element | Configuration Value |
|---|---|
| Protocol | ldap |
| Hostname | Hostname of Active Directory Server |
| Port | 389 (or port of AD server) |
| Search Base | DC=yourcompany,DC=com (customize for your organization) |
| Authentication | Simple Authentication |
| Username | CN=Administrator,CN=Users,DC=yourcompany,DC=com |
Table 7.6. User Element Mapping Configuration for Active Directory
| Configuration Element | Configuration Value |
|---|---|
| Base DN | cn=users |
| User Subtree | false |
| Object Class | user |
| User ID Attribute | sAMAccountName |
| Real Name Attribute | cn |
| E-Mail Attribute | |
| Password Attribute | (Not Used) |
| Password Encoding | Crypt |
Table 7.7. Group Element Mapping Configuration for Active Directory
| Configuration Element | Configuration Value |
|---|---|
| Group Type | Dynamic Groups |
| Member Of Attribute | memberOf |
Warning
You should connect to the AD through port 3268 if you have a multidomain, distributed Active Directory forest. Connecting directly to port 389 might lead to errors.
When mapping users and groups to LDAP entries of type posixAccount, try the common configuration values listed in Table 7.8, “User Element Mapping Configuration for posixAccount” and Table 7.9, “Group Element Mapping Configuration for posixGroup”.
Table 7.8. User Element Mapping Configuration for posixAccount
| Configuration Element | Configuration Value |
|---|---|
| Base DN | (Not Standard) |
| User Subtree | false |
| Object Class | posixAccount |
| User ID Attribute | sAMAccountName |
| Real Name Attribute | uid |
| E-Mail Attribute | |
| Password Attribute | (Not Used) |
| Password Encoding | (Not Used) |
Table 7.9. Group Element Mapping Configuration for posixGroup
| Configuration Element | Configuration Value |
|---|---|
| Group Type | Static Groups |
| Base DN | (Not Standard) |
| Group Subtree | false |
| Object Class | posixGroup |
| Group ID Attribute | cn |
| Group Member Attribute | memberUid |
| Group Member Format | ${username} |
