Working With Active Directory
We will describe how to configure Artifactory to work with Active Directory using an example.
Consider an Active Directory server that must support the following conditions:
- Users are located in two geographically separated sites. Some are in the US (designated as "us"), while others are in Israel (designated as "il").
- Each site defines users and groups in different places in the Active Directory tree as displayed below.
To configure Active Directory authentication, in the Admin module, go to Security | LDAP and click New.
The configuration parameters are as follows:
|The unique ID of the Active Directory setting.|
When set, these settings are enabled.
Active Directory URL
Location of the Active Directory server LDAP access point in the following format:
The URL may include the base DN used to search for and/or authenticate users. If not specified, the Search Base field is required.
User DN Pattern
A DN pattern used to log users directlyin tothe LDAP database.
For Active Directory, we recommend leaving this field blank since this only works if anonymous binding is allowed and a direct user DN can be used, which is not the default case in Active Directory.
Auto Create Artifactory Users
|When set, Artifactory will automatically create new users for those who have logged in using Active Directory. Any newly created users will be associated to the default groups.|
An attribute that can be used to map a user's email to a user created automatically by Artifactory.
This corresponds to the mail field in Active Directory.
A filter expression used to search for the user DN that is used in Active Directory authentication.
This is an LDAP search filter (as defined in 'RFC 2254') with optional arguments. In this case, the
username is the only argument, denoted by
For Active Directorythe corresponding field should be
The Context name in which to search relative to the base DN in the Active Directory URL. This parameter is optional, but if possible, we highly recommend that you set it to prevent long searches on the Active Directory tree. Leaving this field blank will significantly slow down the Active Directory integration.
The configuration in the example below indicates that search should only be performed under "frogs/il" or "frogs/us". This improves search performance since Artifactory will not search outside the scope of the "frogs" entry.
The full DN of a user with permissions that allow querying the Active Directory server. When working with LDAP Groups, the user should have permissions for any extra group attributes such as memberOf.
The password of the user binding to the Active Directory server when using "search" authentication.
Search Sub Tree
|When set, enables deep search through the sub-tree of the Active Directory URL + Search Base. True by default.|
Importing Active Directory Groups
Active Directory groups can be imported using either a Static mapping strategy or a Dynamic one (Active Directory works for both).
The only difference is in the attribute defined on the corresponding Active Directory entry:
- The Static mapping strategy defines a "member" multi-value attribute on the group entry containing user DNs of the group members
- The "Dynamic" configuration defines a "memberOf" multi-value attribute on the user entry containing group DNs of the groups the user is a member of.
Active Directory supports both configurations, so you can choose the one which fits your organization's structure.
Support for Nested Groups
Artifactory supports synchronization with Active Directory "Nested Groups".
Microsoft provides a unique OID for rule chain matching as part of the
search filter syntax
, so when executing an LDAP Query to Active Directory using this OID, Active Directory returns a list of all the groups that a user's main group membership inherits from.
The screenshot below shows the following example:
Mapping Strategy: Static
Group Membership Attribute: member:1.2.840.1135184.108.40.2061:
Group Name Attribute: cn
Using Secure Active Directory
To use Secure Active Directory with a valid certificate from a CA trusted by Java, all you need to do us use a secure Active Directory URL in your settings, e.g.
If you want to use Secure Active Directory with a non-trusted (self-signed) certificate, please follow the steps described in Using a Self-Signed Certificate.
To construct the Manager DN string according to your Active Directory server, navigate to a user with administrator privileges (e.g. Administrator (1)), and then construct the Manager DN in reverse order (2,3) from the User, up the folder hierarchy.
For example, in this simple configuration, the Manager DN here should be
Notice that the domain (3) is split in reverse order to