With the 1.5.0 release of Nexus, Sonatype is opening up the current LDAP features in Pro, and making them a part of Nexus Open Source. Starting with this release, Nexus Open Source users will be able to integrate with LDAP, Active Directory, and Atlassian Crowd servers (via LDAP). Nexus is the only repository manager with both Authentication AND Authorization (group / role mapping) via LDAP and now this integration is free for all to use.
As we transition this feature to Nexus Open Source, we are also announcing a new Nexus Enterprise LDAP plugin that will support more advanced deployment use cases including support for federated LDAP servers and more intelligent caching of authentication information.
Features included in the newly open-source Nexus Professional LDAP plugin:
- Active Directory Support
- Authentication via Bind, SASL, or attribute
- Ability to map LDAP groups to Nexus Roles
- Ability to assign an LDAP user a specific role
- Support for common security models used in Active Directory and LDAP.
- Support for Static and Dynamic Groups
Authentication
The Nexus LDAP Authentication Realm which will be available in the Open Source LDAP plugin supports a number of integration patterns for authentication including:
- Authentication via a bind: Delegates authentication to the LDAP server
- SASL Authentication: Delegates a SASL authentaction to the LDAP server
- Password Attribute: Nexus checks an encrypted field in the user records.
Role Mapping
Nexus Open Source can now be configured to map LDAP groups to Nexus roles . Setting up Nexus to use LDAP groups means you only need to make changes in one location. The next time a user logs in, changes a password, or assigns roles Nexus will automatically synchronize with the LDAP server and these changes will automatically take effect the next time the user logs into the Nexus server. It is also possible to grant users Nexus specific roles, or only use LDAP for authentication and leave the authorization to Nexus. Brian Fox discussed three approaches to user management in a previous blog post: Three Approaches to User Management in Nexus .
Support for Multiple Security Models for User and Group Mapping
Nexus supports all of the common security models used in LDAP servers. This includes data models used in products like Microsoft's Active Directory and standards-driven approaches such as posix. We've had a lot of positive customer feedback about the intuitive configuration interface which lets you test the role and user mapping from the Nexus administrative interface If you need to make a change to a group or role mapping, you can test it immediately in the context of Nexus to see if users and groups are being retrieved from your LDAP, Active Directory, or Crowd server.
Support for Static and Dynamic Groups
Users and groups can be mapped one of two ways in LDAP. Dynamic groups are defined by the user object, whereas static groups are defined by the group. The trade off is speed to ease of management. For dynamic groups one simple query is need to get the user information and which groups that user belongs to, as it is all in one object. With static groups two queries are needed, one to get the user information, and another to check which groups the users is part of. Some LDAP setups user one or the other, some have both where the information is synchronized using triggers.
Stay Tuned
So where's the plugin? How can you install it? Stay tuned, the Nexus 1.5.0 release will be available this Wednesday afternoon. Once that release is completed, we will post detailed instructions for people interested in installing Nexus 1.5.0 or upgrading from a prior Nexus installation.
Written by Brian Demers
Brian is a Developer Advocate at Okta. He has a strong knowledge of Java including experience with an array of java and web-base technologies, along with involvement in open source communities.