We are using LDAP in our Sonatype Nexus instance. Some users complained that while they could log in, they could not access the repositories as expected.
I found out that the cause has been an invalid configuration of the LDAP connection, specifically related to the “memberOf” attribute, which did not include nested groupings.
After correcting that, however, I noticed that users still don’t have access as expected.
From here I can see that, in the Users list, there’s a “source” dropdown which I can change to LDAP, and here I can manually edit each users roles. However… I don’t want to manually make changes for all of our users - I want the system to take care of that.
Can I somehow clear the LDAP users from this list? The “delete” button is unavailable, so I’m not sure when (if at all) the group-assigned roles will refresh.
PS. We run our Nexus instance in a dockerized container. Not sure if this matters, but thought I’d leave it just in case.
There is an in-memory cache which defaults to 10-minutes, I don’t know offhand whether this is 10-minutes since the first read, or last access. I’m not aware of a persistent cache of LDAP users.
The UI when looking at LDAP users is querying from the remote and should not be affected by the in-memory cache.
Essentially I can go into the Users list, select the LDAP category and then manually start changing the assigned permissions levels for each user. And these settings seem to be persisted, not taken from LDAP. If what you wrote was accurate then I’d expect the permissions to reset when I go back to view a specific user after changing the permissions.
Unless the changes are only short-term?
EDIT: I think I found the cause of the issue. My roles were not being mapped from LDAP at all, which was why I was able to manually adjust them. After changing the LDAP config to use static groups (along with the nested settings from this article) the roles are now auto-applied.