Confluence Docs 2.10 : Adding LDAP Integration To Confluence 2.0.x
This page last changed on May 09, 2006 by david.soul@atlassian.com.
IntroductionMany organizations have an LDAP directory acting as a centralized database of system users. Confluence is able to authenticate users against their LDAP password. This kind of LDAP integration is limited to checking passwords against the LDAP repository. For advanced LDAP group management, you can use the new LDAP integration in Confluence 2.1 and later.
If you're starting with a brand new Confluence installation, a summary of process looks like this:
If you have an existing users and groups in Confluence, all you need to do it edit the OSUser configuration file and restart Confluence. InstructionsIn Confluence, user management is handled by OSUser, a pluggable user management framework. OSUser is configured through the WEB-INF/classes/osuser.xml file. Default osuser.xml providers <provider class="bucket.user.providers.CachingCredentialsProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateCredentialsProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingAccessProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateAccessProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingProfileProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateProfileProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> CredentialsProviders are responsible for checking usernames and passwords, which is what we are interested in here. The default CachingCredentialsProvider looks in the Confluence database. We are going to add a ConfluenceLDAPCredentialsProvider, so that LDAP users can also be authenticated: With LDAP authentication added <provider class="com.atlassian.confluence.user.ConfluenceLDAPCredentialsProvider"> <property name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</property> <property name="java.naming.provider.url">ldap://localhost:389</property> <property name="searchBase">dc=atlassian,dc=com</property> <property name="uidSearchName">cn</property> <!-- <property name="java.naming.security.principal">cn=Manager,dc=atlassian,dc=com</property> <property name="java.naming.security.credentials">secret</property> <property name="exclusive-access">true</property> --> </provider> <provider class="bucket.user.providers.CachingCredentialsProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateCredentialsProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingAccessProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateAccessProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingProfileProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateProfileProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> You will need to update the following properties to suit your LDAP server:
If your LDAP server is not configured to allow anonymous lookups, you need to:
How it worksIt is useful to have a general idea of how this setup works. This section outlines some consequences of the current implementation, and provides some help for people experiencing LDAP connection problems. Only password-checking for LDAP users done in ConfluenceThe main point to realise is that user profiles are still managed in Confluence (the CachingProfileProvider in osuser.xml). Only the password lookup is done against LDAP, and only if the Confluence username coincides with a LDAP username. Technically, this behaviour is due to Credentials (password) checking being a separate operation to user-profile lookups. The profile can be loaded from the Confluence database, but the password looked up from LDAP. Furthermore, multiple credentials providers can be specified (here, LDAP and OSUser), and if one fails, the other will be used. This allows non-LDAP users to log in with their Confluence password. Not all LDAP users have Confluence accessAnother effect of this implementation is that LDAP users do not automatically have access to Confluence. A Confluence account must be created for each user wishing to use Confluence. This is because each Confluence user has a set of groups (for example, 'confluence-users') stored in their profile. Without an associated group, that user can do nothing; not even browse Confluence (they lack the 'use' permission). Thus, for an LDAP user to be able to use Confluence, a Confluence admin must create an account for them, and assign them to a group (typically 'confluence-user'). The password in this Confluence account will be ignored, as the LDAP password will override it. |
![]() |
Document generated by Confluence on Dec 03, 2008 15:18 |