If you have a group of users in LDAP who need access to perform repository manager tasks, you can map those LDAP groups to repository manager roles. An External Role Mapping lets you grant repository manager privileges to an external LDAP group.
Before you begin, make sure LDAP Authentication is correctly configured. You should have already completed these steps:
- Configure Realms to add the LDAP Realm
- Create an LDAP Connection with user and group configuration
You can test the connection by clicking the Verify connection button on the LDAP configuration screen. To test the user and group settings you can use the Verify user mapping button.
You can also verify that the LDAP configuration is working correctly by searching for an LDAP user and making sure the LDAP groups for the user are displayed:
- In the Administration panel under Security select Users
- Change the Source to LDAP
- Search for an LDAP user ID
- Click on the user and make sure the External Roles are populated with LDAP groups to which the user belongs
If you do not see the groups listed you'll need to check the user and group configuration of the LDAP connection.
Create an LDAP External Role Mapping
Use the following steps to create a role mapping:
- In the Administration panel under Security select Roles
- Click the Create role button to choose External role mapping - LDAP
- The Mapped Role drop down will be populated with he groups in your LDAP domain. Choose the group you wish to map.
- Provide a name for the role
- Assign roles and privileges
- Click Create role
More information about privileges can be obtained from this article.
To obtain more information about the source of an LDAP related problem you can switch on LDAP debug logging. In the Administration panel under Support select Logging. Locate the logger org.sonatype.nexus.ldap and set the logging level to DEBUG.
These logs will contain more information about the cause of the problem. If you need to open a support ticket, it would help to enable LDAP logging and reproduce the problem before generating a support zip.