Skip to end of metadata
Go to start of metadata
Table of Contents

Overview

The LDAP Groups Add-on allows you to synchronize your LDAP groups with Artifactory and leverage your existing organizational structure for managing group-based permissions.

Unlike many LDAP integrations, LDAP groups in Artifactory use super-fast caching, and has support for both Static, Dynamic and Hierarchical mapping strategies. Powerful management is accomplished with multiple switchable LDAP settings and visual feedback about the up-to-date status of groups and users coming from LDAP.

LDAP groups synchronization works by instructing Artifactory about the external groups authenticated users belong to.  Once logged-in, you are automatically associated with your LDAP groups and inherit group-based permission managed in Artifactory.

Usage

LDAP Groups settings are available under the Admin tab and then Security -> LDAP Settings.

To use LDAP groups you must first set up an LDAP server for authentication from the LDAP Settings screen.  You must also alert Artifactory about the correct LDAP group settings to use with your existing LDAP schema.


Active Directory Users

For specific help with setting up LDAP groups for an Active Directory installation please see this page.

Group Synchronization Strategies

Artifactory supports three ways of mapping groups to LDAP schemas: 

  • Static: Group objects are aware of their members, however, the users are not aware what groups they belong to.
    Each group object such as groupOfNames or groupOfUniqueNames holds its respective member attributes, typically member or uniqueMember, which is a user DN.
  • Dynamic: User objects are aware of what groups they belong to, but the group objects are not aware of their members.
    Each user object contains a custom attribute, such as group, that holds the group DNs or group names of which the user is a member.
  • Hierarchical: The user's DN is indicative of the groups the user belongs to by using group names as part of user DN hierarchy.
    Each user DN contains a list of ou's or custom attributes that make up the group association.
    For example,
    uid=user1,ou=developers,ou=uk,dc=jfrog,dc=org indicates that user1 belongs to two groups: uk and developers.


Field NameDescription
Settings NameThe name of the LDAP setting Unique ID.
LDAP URLThe location of the LDAP server in the form of:
ldap://myserver:myport/dc=sampledomain,dc=com
User DN PatternA DN pattern that can be used to login users directlyto LDAP.
This pattern is used for creating a DN string for 'direct' user authentication, here the pattern is relative to the base DN in the LDAP URL.
The pattern argument {0} is replaced with the username.
This works only if anonymous binding is allowed and a direct user DN can be used, which is not the default case for Active Directory use User DN search filter instead).
For example: uid={0},ou=People
Auto Create Artifactory UsersMarking this checkbox determines whether users should be auto-created when using LDAP, otherwise they are transient and associated with auto-join groups defined in Artifactory.
Email AttributeAn attribute that can be used to map a user's email to a user created automatically in Artifactory.
Search FIlterA filter expression used to search for the user DN used in LDAP authentication.
This is an LDAP search filter (as defined in 'RFC 2254') with optional arguments. In this case, the username is the only argument, denoted by '{0}'.
Possible examples are:
(uid={0}) - this searches for a username match on the attribute.
Authentication to LDAP is performed from the DN found, if successful.
Search BaseContext name to search in, relative to the base DN in the LDAP URL. ex: ou=users
With LDAP Group Add-on enabled, it is possible to enter multiple search base entries separated by the '|' sign. ex: ou=internalUsers,ou=hq|ou=externalUsers
This parameter is optional.
Manager DNUsed only with "search" authentication method.
It is the full DN of the user that binds to the LDAP server to perform user searches.
Manager PasswordUsed only with "search" authentication method.
It is the password of the user that binds to the LDAP server to perform the search.
Sub-tree SearchEnables deep search through the sub tree of the LDAP URL + search base. True by default.
Test UsernameThe Username to test the LDAP connection with.
Test PasswordThe Password to test the LDAP connection with.

 

Synchronizing LDAP Groups with Artifactory

Once you have configured how groups should be retrieved from your LDAP server, you can verify your set up by clicking the Refresh button on the Synchronize LDAP Groups sub-panel. A list of available LDAP groups is displayed according to your settings.

You are now ready to synchronize/import groups into Artifactory. The groups tables allows you to select which groups to import and displays the sync-state for each group:

A group can either be completely new or already existing in Artifactory. If a group already exists in Artifactory it can become outdated (for example, if the group DN has changed) - this is indicated in the table so you can select to re-import it.

Once a group is imported (synced) a new external LDAP group is created in Artifactory with the name of the group.

Once you have imported LDAP groups, you can Manage Permissions on them as with regular Artifactory groups. Users association to these groups is external and controlled strictly by LDAP.

Make sure the LDAP group settings is enabled (in the LDAP Groups Settings panel) in order for your settings to become effective.

Watch the Screencast

  • No labels