all available LDAP groups are not listed when mapping external roles

I am using version 2.9.0-04

I am unable to configure external role mappings for an LDAP group because it does not appear in the drop down of roles derived from the LDAP source. However, I am able to see this role assigned on specific users when I look at configuring a role directly on an external LDAP user.

In looking at the code of org.sonatype.security.ldap.dao.DefaultLdapGroupDAO, it appears that in the case of Dynamic groups that this list is determined by querying the users and building the role list as the unique set of groups from the memberOf attribute. Logically, this is correct, but what I suspect is occurring is that the LDAP server is limiting the number of users returned on this type of general query (of all users), so not all of the possible groups will be discovered in the case of larger LDAP databases. Since the validation forces any entered role name to be in this derived list, I cannot configure the mapping I need even by typing it in directly.

This issue prevents me from using LDAP group assignments to control Nexus Administrator and Nexus Upload user assignments because I cannot construct the necessary role mappings.

Since at the end of the day, these group/role names for external role mappings within Nexus are just strings to match against future specific user memberOf queries, perhaps this validation should not be this strict because of the potential limitations of the LDAP server interaction. The dropdown can be somewhat of an aid in selection, but the user entered role name should be allowed to not exist in the list as well. At the end of the day, if the role doesn't match what a user has for memberOf, the administrator will have to correct a mistaken entry anyway.

Workaround

https://support.sonatype.com/hc/en-us/articles/213464838-Nexus-does-not-list-all-avaliable-LDAP-groups-in-external-role-mapping-dialog