Why would I use Nexus Pro LDAP over Nexus OSS LDAP?

We get this question quite a bit, what's the difference between the Nexus OSS LDAP and the Nexus Professional LDAP?    There are several, but let's just hit the top four:

  1. Support for multiple LDAP servers.
  2. Support for geographic failover
  3. Support for multiple User and Group object mapping strategies
  4. Intelligent caching of authentication information
Let's discuss these differences in order:

Support for Multiple LDAP Servers

In very large, corporate installations it is very common to see situations that involve more than one source for authentication information.    If your company has merged with or acquired another company it is possible that you may have to interact with more than one LDAP server.  If this is your situation, Nexus Professional provides the ability to connect to more than one LDAP server.   If a user cannot be authenticated against one LDAP, the authentication request will continue to iterate through a list of LDAP servers until a successful authentication can be completed.   Nexus OSS LDAP does not support more than one LDAP source of authentication, you are limited to a single LDAP server.

Support For Geographic Failover

A distributed development team often has a global support network which includes redundant LDAP servers.   With Nexus Professional you can define backup LDAP servers for each LDAP authentication server configured.   If Nexus is unable to reach the specified LDAP server it will attempt to connect to the failover servers define in Nexus Professional.   This support for high-availability LDAP servers is only available in Nexus Professional.

Support for Multiple Group and User Object Mappings

If you authenticate against LDAP you have many options for querying users and groups.   You can use static groups or dynamic groups.   Depending on the type of LDAP server (or Active Directory server) you will be querying different object types and looking at different attributes for passwords and usernames.    In Nexus OSS, we offer some support for configure User and Group mappings, enough to adapt to just about any situation.  In Nexus Professional we offer User and Group mapping templates that predefined based on common use cases.   For example, if you are running Active Directory, we ship with sensible default templates.   In addition to these templates, we offer the ability to have more than one User and Group Mapping for different LDAP servers.

This can come in very handy if you are dealing with more than one authentication source because, very often, those two LDAP servers having completely different models for tracking users and groups.

Intelligent Caching of Authentication Information

Nexus OSS LDAP is going to query your LDAP server every time it needs to authenticate a request.  For example, if you have a Maven build that accesses Nexus with authentication, you are going to be hitting your LDAP server for every single artifact download request.   If you have a group of developers that means that your Nexus server is going to be generating a huge amount of authentication traffic against your LDAP server.

Nexus Professional takes a very conservative approach to caching authentication information, we don't have such an over-eager cache that we're holding on to authentication events for too long.   You'll never hear anything about Nexus not being up to date with an LDAP server, but we do cache information in the context of a request.  You can configure how long authentication events are cached, but even a cache lifetime of a few minutes is enough to insulate yourself from the performance problem you might encountered with the uncached OSS version of the tool. 


For the record, there's nothing wrong with the Nexus OSS LDAP from a performance perspective, it's a solid integration with LDAP and it has everything you'd expect from a product that supports LDAP.   We're not big believers in creating open source versions of professional features that are limited to motivate sales   The OSS support for LDAP is a solid option.

Have more questions? Submit a request


Article is closed for comments.