Overview

The LDAP Groups add-on lets you synchronize your LDAP groups with Artifactory and leverage your existing organizational structure for managing group-based permissions. Unlike many LDAP integrations, LDAP groups in Artifactory uses super-fast caching, and has support for both Static, Dynamic, and Hierarchical mapping strategies. Powerful management is accomplished with multiple switchable LDAP settings and visual feedback about the up-to-date status of groups and users coming from LDAP.

LDAP groups synchronization works by instructing Artifactory about the external groups authenticated users belong to. When a user is logged-in he is automatically associated with his LDAP groups and inherits group-based permission managed in Artifactory.

Usage

LDAP Groups settings are available under Admin:Security:LDAP Settings.
To use LDAP groups you first need to set up an LDAP server for authentication from the LDAP Settings screen.

Next, you need to tell Artifactory about the correct LDAP group settings to use with your existing LDAP schema.

Group Synchronization Strategies

Artifactory supports three ways of mapping groups to LDAP schemas:

• Static: Group objects are aware of their members, however, the users are not aware what groups they belong to.
  Each group object such as groupOfNames or groupOfUniqueNames holds its respective member attributes, typically member or uniqueMember, which is a user DN.

• Dynamic: User objects are aware of what groups they belong to, but the group objects are not aware of their members.
  Each user object contains a custom attribute, such as group, that holds the group's DN which the user is a member of.

• Hierarchical: The user's DN is indicative of the groups the user belongs to by using group names as part of user DN hierarchy.
  Each user DN contains a list of ou's or custom attributes that make up the group association. For example,
  uid=user1,ou=developers,ou=uk,dc=jfrog,dc=org indicates that user1 belongs to two groups: uk and developers.

Synchronizing LDAP Groups with Artifactory

Once you have configured how groups should be retrieved from your LDAP server, you can verify your set up by clicking the Refresh button on the Synchronize LDAP Groups sub-panel. You should get a list of available LDAP groups, according to your settings.

You are ready to synchronize/import groups into Artifactory. The groups tables lets you select which groups to import and displays the sync-state for each group:
A group can either be completely new or already exist in Artifactory. If a group already exists in Artifactory it can become outdated (for example, if the group DN has changed) - this will be indicated in the table so you can select to re-import it.

Once a group is imported (synced) a new external LDAP group is created in Artifactory with the name of the group.

Once you have imported LDAP groups, you can manage permissions on them as you do with regular Artifactory groups. Users association to these groups is external and controlled strictly by LDAP.

Make sure the LDAP group settings is enabled (in the LDAP Groups Settings panel) in order for your settings to become effective.

Watch the Screencast