Last week we announced that we moved LDAP integration from Nexus Professional to Nexus Open Source in the Nexus 1.5.0 release. While we open sourced our LDAP plugin in 1.5.0, we also released an Enterprise LDAP plugin which provides features such as configurable caching, timeouts, templates, and the ability to interact with more than one LDAP server. In this post, I'm going to summarize the differences between Nexus Open Source's LDAP integration and Nexus Professional's LDAP integration.
Repository Manager LDAP Feature comparison
Before we dive into the details of the Enterprise LDAP support in Nexus Professional 1.5.0, here's a comparison of LDAP support in Nexus Professional 1.5.0, Nexus Open Source 1.5.0, Archiva, and Artifactory. If you are trying to decide between Nexus Open Source and Nexus Professional, the difference between the LDAP functionality in each is that Nexus Professional's Enterprise LDAP support adds more features one would expect to see in a mission-critical environment with multiple LDAP servers.
Feature | Nexus Pro | Nexus OSS | Archiva | Artifactory |
Authentication via bind | ||||
Authentication via field | ||||
Multiple Server support | ||||
Configurable caching | ||||
Configurable timeouts | ||||
Active Directory support | ||||
Templates ( for easy setup ) | ||||
Blacklist down servers | ||||
Ability to test a Users Login | ||||
Ability to group configuration | ||||
LDAP Mirror fall back support | ||||
Configurable via UI | ||||
SASL Support (secure login) | ||||
Support for LDAP Groups | ||||
|
||||
|
Enterprise LDAP Failover support
When an LDAP server fails, the applications authenticating against it can also become unavailable. Because a central LDAP server is such a critical resource, many large software enterprises will install a series of primary and secondary LDAP servers to make sure that the organization can continue to operate in the case of an unforeseen failure. Nexus Professional's Enterprise LDAP plugin now provides you with the ability to define multiple LDAP servers for authentication. To configure multiple LDAP servers, click on Enterprise LDAP under Security in the Nexus application menu. You should see the Enterprise LDAP panel shown in the following figure.
You can use the Backup Mirror setting for an LDAP repository. This backup mirror is another LDAP server which will be consulted if the original LDAP server cannot be reached. Nexus Professional assumes that the backup mirror is a carbon copy of the original LDAP server, and it will use the same user and group mapping configuration as the original LDAP server.
Instead of using the backup mirror settings, you could also define multiple LDAP backup mirrors in the list of configured LDAP servers shown in the previous figure. When you configure more than one LDAP server, Nexus Professional will consult the servers in the order they are listed in this panel. If Nexus can't authenticate against the first LDAP server, Nexus Professional will move on to the next LDAP server until it either reaches the end of the list or finds an LDAP server to authenticate against.
The feature just described is one way to increase the reliability of your Nexus instance. In the previous case, both servers would have the same user and group information. The secondary would be a mirror of the primary. But, what if you wanted to connect to two LDAP servers that contained different data? Nexus Professional also provides...
...Support for Multiple Servers/Schema
The same ability to list more than one LDAP server also allows you to support multiple LDAP servers which may or may not contain the same user authentication information. Assume that you had an LDAP server for the larger organization which contained all of the user information across all of the departments. Now assume that your own department maintains a separate LDAP server which you use to supplement this larger LDAP installation. Maybe your department needs to create new users that are not a part of the larger organization, or maybe you have to support the integration of two separate LDAP servers that use different schema on each server.
A third possibility is that you need to support authentication against different schema within the same LDAP server. This is a common scenario for companies which have merged and whose infrastructures has not yet been merged. To support multiple servers with different user/group mappings or to support a single server with multiple user/group mappings, you can configure these servers in the Enterprise LDAP panel shown above. Nexus will iterate through each LDAP server until it can successfully authenticate a user against an LDAP server.
Enterprise LDAP Performance: Caching and Timeout
If you are constantly authenticating against a large LDAP server, you may start to notice a significant performance degradation. With Nexus Professional you can cache authentication information from LDAP. To configure caching, create a new server in the Enterprise LDAP panel, and scroll to the bottom of the Connect tab. You should see the following input field which contains the number of seconds to cache the results of LDAP queries.
You will also see options to alter the connection timeout and retry interval for an LDAP server. If you are configuring a number of different LDAP servers with different user and group mappings, you will want to make sure that you've configured low timeouts for LDAP servers at the beginning of your Enterprise LDAP server list. If you do this properly, it will take Nexus next to no time to iterate through the list of configured LDAP servers.
We improved the overall caching in this release. The cache duration is configurable and applies to authentication and authorization, which translates into pure speed! Once you've configured LDAP caching in Nexus Professional, authentication and other operations that involve permissions and credentials once retrieved from an external server will run in no time.
User and Group Templates
If you are configuring your Nexus Professional instance to connect to an LDAP server there is a very good chance that your server follows one of several, well-established standards. Nexus Professional's LDAP server configuration includes these widely used user and group mapping templates which great simplify the setup and configuration of a new LDAP server. To configure user and group mapping using a template, select a LDAP server from the Enterprise LDAP panel, and choose the User and Group Settings. You will see a User & Group Templates section as shown in the following figure.
Testing a User Login
Nexus Professional provides you with the ability to test a user login directly. To test a user login, go to the User and Group Settings tab for a server listed in the Enterprise LDAP panel. Scroll to the bottom of the form, and you should see a button named "Check Login".
If you click on Check Login, you will then be presented with the login credentials dialog shown below. You can use this dialog to login as an LDAP user and test the user and group mapping configuration for a particular server. This feature allows you to test user and group mapping configuration directly. This feature allows you to quickly diagnose and address difficult authentication and access control issues via the administrative interface.
Summary
If you rely upon LDAP in your organization, Nexus Professional's Enterprise LDAP plugin will help you create a more stable and reliable configuration. In addition it will make it even easier to configure user and group mapping for common LDAP configurations. To get started today, download Nexus Professional 1.5.0.
Written by Brian Demers
Brian is a Developer Advocate at Okta. He has a strong knowledge of Java including experience with an array of java and web-base technologies, along with involvement in open source communities.