Why would I use Nexus Repository 2 Pro LDAP over OSS LDAP?

Visit my.sonatype.com for documentation on Nexus Repository version 2.

We get this question quite a bit, what's the difference between the Nexus Repository 2 OSS LDAP and the Nexus Repository 2 Professional LDAP? There are several, but let's just hit the top four:

  1. Support for multiple LDAP servers.
  2. Support for geographic failover
  3. Support for multiple User and Group object mapping strategies
  4. Intelligent caching of authentication information
Let's discuss these differences in order:

Support for Multiple LDAP Servers

In very large, corporate installations it is very common to see situations that involve more than one source for authentication information. If your company has merged with or acquired another company it is possible that you may have to interact with more than one LDAP server.  If this is your situation, Nexus Repository 2 Professional provides the ability to connect to more than one LDAP server. If a user cannot be authenticated against one LDAP, the authentication request will continue to iterate through a list of LDAP servers until a successful authentication can be completed.  Nexus Repository 2 OSS LDAP does not support more than one LDAP source of authentication, you are limited to a single LDAP server.

Support For Geographic Failover

A distributed development team often has a global support network that includes redundant LDAP servers. With Nexus Repository 2 Professional you can define backup LDAP servers for each LDAP authentication server configured.   If Nexus Repository 2 is unable to reach the specified LDAP server it will attempt to connect to the failover servers define in Nexus Repository 2 Professional.   This support for high-availability LDAP servers is only available in Nexus Repository 2 Professional.

Support for Multiple Group and User Object Mappings

If you authenticate against LDAP you have many options for querying users and groups.   You can use static groups or dynamic groups. Depending on the type of LDAP server (or Active Directory server) you will be querying different object types and looking at different attributes for passwords and usernames. In Nexus Repository 2 OSS, we offer some support for configuring User and Group mappings, enough to adapt to just about any situation.  In Nexus Repository 2 Professional we offer User and Group mapping templates that are predefined based on common use cases.  For example, if you are running Active Directory, we ship with sensible default templates. In addition to these templates, we offer the ability to have more than one User and Group Mapping for different LDAP servers.

This can come in very handy if you are dealing with more than one authentication source because, very often, those two LDAP servers have completely different models for tracking users and groups.

Intelligent Caching of Authentication Information

Nexus Repository 2 OSS LDAP is going to query your LDAP server every time it needs to authenticate a request.  For example, if you have a Maven build that accesses Nexus with authentication, you are going to be hitting your LDAP server for every single artifact download request.   If you have a group of developers that means that your Nexus Repository 2 server is going to be generating a huge amount of authentication traffic against your LDAP server.

Nexus Repository 2 Professional takes a very conservative approach to caching authentication information, we don't have such an over-eager cache that we're holding on to authentication events for too long.   You'll never hear anything about Nexus Repository 2 not being up to date with an LDAP server, but we do cache information in the context of a request.  You can configure how long authentication events are cached, but even a cache lifetime of a few minutes is enough to insulate yourself from the performance problem you might encounter with the uncached OSS version of the tool. 


For the record, there's nothing wrong with the Nexus Repository 2 OSS LDAP from a performance perspective, it's a solid integration with LDAP and it has everything you'd expect from a product that supports LDAP.

Have more questions? Submit a request


Article is closed for comments.