Skip to end of metadata
Go to start of metadata
Table of Contents

Overview

The LDAP Groups Add-on allows you to synchronize your LDAP groups with Artifactory and leverage your existing organizational structure for managing group-based permissions.

Unlike many LDAP integrations, LDAP groups in Artifactory use super-fast caching, and has support for both Static, Dynamic and Hierarchical mapping strategies. Powerful management is accomplished with multiple switchable LDAP settings and visual feedback about the up-to-date status of groups and users coming from LDAP.

LDAP groups synchronization works by instructing Artifactory about the external groups authenticated users belong to.  Once logged-in, you are automatically associated with your LDAP groups and inherit group-based permission managed in Artifactory.

Usage

LDAP Groups settings are available under the Admin tab and then Security -> LDAP Settings.

To use LDAP groups you must first set up an LDAP server for authentication from the LDAP Settings screen.  You must also alert Artifactory about the correct LDAP group settings to use with your existing LDAP schema.

Active Directory Users

For specific help with setting up LDAP groups for an Active Directory installation please see this page.

Group Synchronization Strategies

Artifactory supports three ways of mapping groups to LDAP schemas: 

  • Static: Group objects are aware of their members, however, the users are not aware what groups they belong to.
    Each group object such as groupOfNames or groupOfUniqueNames holds its respective member attributes, typically member or uniqueMember, which is a user DN.
  • Dynamic: User objects are aware of what groups they belong to, but the group objects are not aware of their members.
    Each user object contains a custom attribute, such as group, that holds the group DNs or group names of which the user is a member.
  • Hierarchy: The user's DN is indicative of the groups the user belongs to by using group names as part of user DN hierarchy.
    Each user DN contains a list of ou's or custom attributes that make up the group association. 
    For example,
    uid=user1,ou=developers,ou=uk,dc=jfrog,dc=org indicates that user1 belongs to two groups: uk and developers.

LDAP Group Settings

Synchronizing LDAP Groups with Artifactory

Once you have configured how groups should be retrieved from your LDAP server, you can verify your set up by clicking the Refresh button on the Synchronize LDAP Groups sub-panel. A list of available LDAP groups is displayed according to your settings.

You are now ready to synchronize/import groups into Artifactory. The groups table allows you to select which groups to import and displays the sync-state for each group:

A group can either be completely new or already existing in Artifactory. If a group already exists in Artifactory it can become outdated (for example, if the group DN has changed) - this is indicated in the table so you can select to re-import it.

Once a group is imported (synced) a new external LDAP group is created in Artifactory with the name of the group.

 

Once you have imported LDAP groups, you can Manage Permissions on them as with regular Artifactory groups. Users association to these groups is external and controlled strictly by LDAP.

Make sure the LDAP group settings is enabled (in the LDAP Groups Settings panel) in order for your settings to become effective.

Watch the Screencast

  • No labels