Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-6902

all available LDAP groups are not listed when mapping external roles

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 2.9
    • Fix Version/s: None
    • Component/s: LDAP
    • Labels:

      Description

      I am using version 2.9.0-04

      I am unable to configure external role mappings for an LDAP group because it does not appear in the drop down of roles derived from the LDAP source. However, I am able to see this role assigned on specific users when I look at configuring a role directly on an external LDAP user.

      In looking at the code of org.sonatype.security.ldap.dao.DefaultLdapGroupDAO, it appears that in the case of Dynamic groups that this list is determined by querying the users and building the role list as the unique set of groups from the memberOf attribute. Logically, this is correct, but what I suspect is occurring is that the LDAP server is limiting the number of users returned on this type of general query (of all users), so not all of the possible groups will be discovered in the case of larger LDAP databases. Since the validation forces any entered role name to be in this derived list, I cannot configure the mapping I need even by typing it in directly.

      This issue prevents me from using LDAP group assignments to control Nexus Administrator and Nexus Upload user assignments because I cannot construct the necessary role mappings.

      Since at the end of the day, these group/role names for external role mappings within Nexus are just strings to match against future specific user memberOf queries, perhaps this validation should not be this strict because of the potential limitations of the LDAP server interaction. The dropdown can be somewhat of an aid in selection, but the user entered role name should be allowed to not exist in the list as well. At the end of the day, if the role doesn't match what a user has for memberOf, the administrator will have to correct a mistaken entry anyway.

      Workaround

      https://support.sonatype.com/hc/en-us/articles/213464838-Nexus-does-not-list-all-avaliable-LDAP-groups-in-external-role-mapping-dialog

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              NetAppBlueDevil Daniel Holmes
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title