Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP to Active Directory #341

Closed
coofercat opened this issue Dec 3, 2021 · 2 comments
Closed

LDAP to Active Directory #341

coofercat opened this issue Dec 3, 2021 · 2 comments

Comments

@coofercat
Copy link

This is (at most) a documentation suggestion, or could just live here to achieve much the same. I'm happy to see the issue closed without comment if you want.

Here's an example LDAP configuration talking to Active Directory, using Dynamic Groups mapped to Nexus roles:

ldap_connections:
  - ldap_name: 'Example AD' # used as a key to update the ldap config
    ldap_protocol: 'ldaps' # ldap or ldaps
    ldap_hostname: 'ad.example.com'
    ldap_port: 636
    ldap_search_base: 'DC=ad,DC=example,DC=com'
    ldap_auth: 'simple'
    ldap_auth_username: 'CN=LDAP Access,DC=ad,DC=example,DC=com'
    ldap_auth_password: 'somepassword'
    ldap_user_base_dn: 'cn=users'
    ldap_user_filter: '' # (optional)
    ldap_user_object_class: 'user'
    ldap_user_id_attribute: 'sAMAccountName'
    ldap_user_real_name_attribute: 'cn'
    ldap_user_email_attribute: 'mail'
    ldap_user_subtree: true
    ldap_map_groups_as_roles: true
    ldap_map_groups_as_roles_type: 'dynamic'
    ldap_group_base_dn: 'ou=groups'
    ldap_group_object_class: 'posixGroup'
    ldap_group_id_attribute: 'cn'
    ldap_group_member_attribute: 'member'
    ldap_group_member_format: 'memberOf'
    ldap_group_subtree: true

You should more than likely change the ldap_search_base, ldap_auth_username (and password) to suit your setup. You may want an ldap_user_filter, but if you don't, users without mapped roles will have the same permissions as anonymous users.

The above setup also assumes the search base is "below" the users and groups (ie. your users and groups are in hierarchical layers on top of the search base. This is probably true for most setups, but you can try setting the subtree settings to false if you think otherwise.

If it matters, the actual AD I'm using here is a Simple AD in AWS, and has had almost no configuration applied, except to add some "folders" and users/groups etc.
@nliebelt
Copy link

Add it to the docs!

@zeitounator
Copy link
Member

Hi.

I'm getting back to maintenance after a long pause for 2 main reason: 1) I was quite busy on other while the role was running like a charm on my side (deploying several times a month) and I had no special need for enhancements 2) the CI was down making reviewing PRs quite a pain (this has been fixed). Sorry for not getting in touch sooner.

I've added a link to this issue in README at the bottom of the ldap section. Cheers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zeitounator @coofercat @nliebelt