Groovy script to set LDAP group type to 'dynamic'

fraser · October 5, 2018, 2:30pm

I’ve inherited a script that sets up LDAP login for Nexus Repository Manager 3. I’m attempting to modify the script to setup Active Directory integration (as opposed to another LDAP service) and that requires that the ‘Group type’ be changed from the default ‘Static groups’ to ‘Dynamic groups’, and that ‘Group member of attrtibute’ be set. I’m trying to find documentation on how to do that, but no luck so far.

The Groovy script does things like:

import org.sonatype.nexus.ldap.persist.LdapConfigurationManager
import org.sonatype.nexus.ldap.persist.entity.LdapConfiguration
import org.sonatype.nexus.ldap.persist.entity.Connection
import org.sonatype.nexus.ldap.persist.entity.Mapping
import groovy.json.JsonSlurper
[...]
mapping = new Mapping()
mapping.setUserIdAttribute(parsed_args.user_id_attribute)
mapping.setUserRealNameAttribute(parsed_args.user_real_name_attribute)
mapping.setEmailAddressAttribute(parsed_args.user_email_attribute)
mapping.setLdapGroupsAsRoles(true)
[...]

…and so I’ve tried some obvious attempts, like:

mapping.setGroupType('dynamic')
mapping.setGroupMemberOfAttribute('memberOf')

…but that doesn’t work. It doesn’t error, it just doesn’t do anything. Anyone point me in the direction of some documentation on using these libraries in Groovy?

rseddon · October 5, 2018, 2:47pm

Yeah, this one is a bit hard to figure out…

The groupType is set with the following Groovy truthy logic:

groupType: userAndGroupConfig.ldapGroupsAsRoles ? (userAndGroupConfig.userMemberOfAttribute ? 'dynamic' : 'static') : null,

So there are actually two conditions that are required to set the group type to Dynamic - the pseudo logic is this:

dynamic = ldapGroupsAsRoles is groovy true && userMemberOfAttribute == null
static = ldapGroupsAsRoles is groovy true && userMemberOfAttribute != null
not set =  ldapGroupsAsRoles is groovy false

Or to put it another way…

If ldapGroupsAsRoles == true, then you can set either a dynamic or static group mapping.

If userMemberOfAttribute is null or empty value, then a static mapping group type is assumed.
If userMemberOfAttribute has a value, then dynamic mapping is assumed.

fraser · October 8, 2018, 8:59am

Thanks for replying to quickly! Okay, that makes sense.

The pseudo logic you gave, is that definitely right? Maybe I’m reading it wrong, but it’s the other way round I think from the way I’ve understood everything else you wrote?

Can you confirm I should be doing mapping.setUserMemberOfAttribute('memberOf')? Doesn’t seem to be setting the value when I check the UI, and the group type is still static.

fraser · October 8, 2018, 9:29am

Ignore me, all working mapping.setUserMemberOfAttribute(parsed_args.user_member_of_attribute) worked nicely.

Thanks for your help!

anudub · October 12, 2018, 4:23pm

could you please share your script (with how to… ) I am new to groovy and nexus3… and I need to automate this LDAP setup ( active directory )