Set up LDAP authentication for Nexus Repository Manager to enable centralized enterprise user management and seamless integration with Active Directory for secure artifact repository access.
Prerequisites
- Nexus Repository Manager 3.x installed and running
- LDAP server (Active Directory or OpenLDAP)
- Admin access to Nexus and LDAP server
- Network connectivity between Nexus and LDAP server
What this solves
Nexus Repository Manager LDAP authentication lets you centralize user management through your existing Active Directory or LDAP infrastructure. Instead of maintaining separate user accounts in Nexus, you can authenticate users against your enterprise directory and automatically map LDAP groups to Nexus roles for streamlined access control.
LDAP configuration prerequisites
Gather LDAP server information
Before configuring Nexus, collect the necessary LDAP server details from your system administrator.
You'll need:
- LDAP server hostname or IP address
- LDAP port (389 for LDAP, 636 for LDAPS)
- Base DN (Distinguished Name) for user searches
- Service account credentials for LDAP binding
- User and group object classes and attributes
Test LDAP connectivity
Verify that your Nexus server can reach the LDAP server on the required port.
telnet ldap.example.com 389For LDAPS connections, test the secure port:
openssl s_client -connect ldap.example.com:636Create LDAP service account
Create a dedicated service account in your LDAP directory for Nexus to use when querying user and group information. This account needs read access to user and group objects but should follow the principle of least privilege.
cn=nexus-service,ou=Service Accounts,dc=example,dc=com. Work with your LDAP administrator to create this account with appropriate permissions.Configure LDAP connection settings
Access Nexus administration panel
Log into Nexus Repository Manager as an administrator and navigate to the LDAP configuration section.
Open your web browser and go to your Nexus instance:
https://nexus.example.com:8081Navigate to Administration → Security → LDAP.
Create new LDAP connection
Click "Create connection" and configure the basic LDAP server settings.
Fill in the connection details:
- Name: Active Directory (or descriptive name)
- Protocol: ldap or ldaps
- Hostname: ldap.example.com
- Port: 389 (LDAP) or 636 (LDAPS)
- Search base: dc=example,dc=com
Configure authentication method
Set up the service account authentication that Nexus will use to query the LDAP directory.
Configure the authentication settings:
- Authentication method: Simple Authentication
- SASL realm: Leave blank for simple auth
- Username or DN: cn=nexus-service,ou=Service Accounts,dc=example,dc=com
- Password: Your service account password
Configure user and group settings
Define how Nexus should search for users and groups in your LDAP directory structure.
User configuration:
- Base DN: ou=Users,dc=example,dc=com
- Object class: user (Active Directory) or inetOrgPerson (OpenLDAP)
- User filter: Leave blank for default
- User ID attribute: sAMAccountName (AD) or uid (OpenLDAP)
- Real name attribute: cn
- Email attribute: mail
Group configuration:
- Base DN: ou=Groups,dc=example,dc=com
- Object class: group (Active Directory) or groupOfNames (OpenLDAP)
- Group filter: Leave blank for default
- Group ID attribute: cn
- Group member attribute: member
- Group member format: ${dn}
Test LDAP connection
Use Nexus's built-in connection test to verify your LDAP configuration before saving.
In the LDAP configuration form:
- Click "Verify connection" to test basic connectivity
- Click "Verify user mapping" and enter a test username
- Click "Verify login" with test user credentials
All tests should return success before proceeding.
Map LDAP groups to Nexus roles
Create Nexus roles for LDAP groups
Define roles in Nexus that correspond to your LDAP groups and assign appropriate privileges.
Navigate to Administration → Security → Roles and create new roles:
- Role ID: nexus-developers
- Role Name: Nexus Developers
- Description: Developer access to artifact repositories
- Privileges: Select repository read/write privileges as needed
Repeat for other roles like nexus-administrators, nexus-readonly, etc.
Map LDAP groups to Nexus roles
Configure automatic role assignment based on LDAP group membership.
Go to Administration → Security → LDAP and edit your LDAP configuration:
- Scroll to the "User and Group" section
- Click "Map LDAP groups as roles"
- Add mappings for each LDAP group:
- LDAP Group: CN=Nexus-Developers,OU=Groups,DC=example,DC=com
- Nexus Roles: nexus-developers
Configure role mapping settings
Fine-tune how LDAP groups are mapped to Nexus roles and handle group nesting if needed.
Additional mapping options:
- Group type: Static (default) or Dynamic
- Member attribute: member (for nested groups)
- Member format: ${dn} (use distinguished names)
For Active Directory with nested groups, enable dynamic group membership to automatically resolve nested group memberships.
Test LDAP authentication and troubleshooting
Test user login
Verify that LDAP users can successfully authenticate and receive appropriate permissions.
Open an incognito browser window and navigate to your Nexus instance. Try logging in with an LDAP user account that belongs to a mapped group.
After successful login, verify the user's assigned roles by checking their profile or attempting to access resources that should be available to their role.
Monitor authentication logs
Check Nexus logs for LDAP authentication events and potential issues.
sudo tail -f /opt/sonatype-nexus/sonatype-work/nexus3/log/nexus.log | grep -i ldapLook for successful authentication events and any error messages related to LDAP connectivity or user/group resolution.
Enable detailed LDAP logging
If you encounter authentication issues, enable debug logging for LDAP operations.
Navigate to Administration → System → Logging and add a new logger:
- Name: org.sonatype.nexus.ldap
- Level: DEBUG
This will provide detailed information about LDAP queries and authentication attempts in the nexus.log file.
Verify your setup
Confirm that your LDAP authentication is working correctly with these verification steps:
# Check Nexus service status
sudo systemctl status nexus
Monitor authentication logs in real-time
sudo tail -f /opt/sonatype-nexus/sonatype-work/nexus3/log/nexus.log | grep -E "(LDAP|authentication)"Test the following scenarios:
- LDAP user can log in successfully
- User receives correct role assignments based on LDAP group membership
- User can access repositories according to their assigned roles
- Invalid credentials are properly rejected
- Users not in mapped groups receive appropriate default permissions
Common issues
| Symptom | Cause | Fix |
|---|---|---|
| Connection timeout to LDAP server | Network connectivity or firewall blocking | Test with telnet ldap.example.com 389 and verify firewall rules |
| Authentication fails with "Invalid credentials" | Incorrect service account credentials or DN | Verify service account DN format and test credentials with ldapsearch |
| Users can authenticate but have no permissions | LDAP group mapping not configured correctly | Check group DN format and verify user group membership in LDAP |
| SSL/TLS certificate errors with LDAPS | Certificate not trusted or hostname mismatch | Import LDAP server certificate into Nexus JVM truststore |
| Groups not resolving for Active Directory | Nested group membership not enabled | Enable dynamic group membership and configure member attribute correctly |
Next steps
- Configure Grafana LDAP authentication and role-based access control with Active Directory integration for monitoring your Nexus infrastructure
- Setup Keycloak SAML integration for enterprise single sign-on with identity providers for advanced SSO capabilities
- Integrate Nexus Repository with Kubernetes and Docker registry authentication for container orchestration
- Set up automated Nexus Repository backups with LDAP user data preservation
- Configure Nexus Repository SSL certificates and security hardening