Confluence 2.7 Temp Archive : Configuring multiple LDAP repositories
This page last changed on May 17, 2007 by ganand.
AvailabilityConfluence 2.3 and above support multiple LDAP servers configured in atlassian-user.xml. Instructions are below. Confluence releases prior to 2.3 do not support multiple LDAP repositories. PrerequisitesBefore reading this, ensure you understand the configuration details outlined in Customising atlassian-user.xml. This describes how to configure a single LDAP repository in Confluence, and is prerequisite knowledge for following the instructions below. For brevity, all examples on this page are partial examples. A complete atlassian-user.xml LDAP configuration can be found in Customising atlassian-user.xml. ConfigurationTo configure multiple LDAP repositories in Confluence, put multiple <ldap>...</ldap> entries into confluence/WEB-INF/classes/atlassian-user.xml. The order of the entries in the file will be the order that the repositories are searched for users. That is, if a user tries to log in with the username jsmith, the first repository in atlassian-user.xml will be searched for the user with the username jsmith. If no user is found in that repository, the second repository specified in atlassian-user.xml will be searched. Here is a partial configuration that connects Confluence to two different LDAP servers. They are given the identifiers ldap1 and ldap2, and connect to the servers ldap-sf.example.org and ldap-nyc.example.org respectively. <atlassian-user> <repositories> <ldap key="ldap1" name="San Francisco Example Repository" cache="true"> <host>ldap-sf.example.org</host> <port>389</port> <!-- ... remainder of server configuration ... --> </ldap> <ldap key="ldap2" name="New York City Example Repository" cache="true"> <host>ldap-nyc.example.org</host> <port>389</port> <!-- ... remainder of server configuration ... --> </ldap> <hibernate key="hibernate" name="Hibernate Repository" description="Hibernate Repository" /> </repositories> </atlassian-user> Points to note:
Side effectsThe main side effect of configuring multiple LDAP servers is degrading performance. There are many activities in Confluence where user or group information is retrieved:
Confluence tries to cache as much information as possible from the LDAP queries, but almost certainly adding multiple LDAP servers will degrade the performance of the application. This is especially true if any of the LDAP servers are geographically distant from Confluence, where any LDAP query has a significant latency (> 50 ms roundtrip). Two connections to the same serverIt also possible, but not usually recommended, for Confluence to connect twice to the same server. When connecting twice to the same server, you must not have overlapping group or user namespaces in the LDAP tree. Here is an partial configuration, retrieving two separate LDAP user branches, but only one LDAP group branch. To configure only a single group branch, the group filter in the second LDAP repository searches for a non-existent value so it will not return any results. (This is generally fast as long as your LDAP server has an index on objectClass for the given tree section.) <atlassian-user> <repositories> <ldap key="ldap1" name="Example Repository, SF user tree" cache="true"> <host>ldap.example.org</host> <port>389</port> <!-- ... remainder of connection configuration ... --> <!-- user search filter --> <baseUserNamespace>cn=San Francisco,dc=ldap,dc=example,dc=org</baseUserNamespace> <userSearchFilter>(objectClass=user)</userSearchFilter> <!-- ... remainder of user configuration ... --> <!-- group search filter --> <baseGroupNamespace>cn=Groups,dc=ldap,dc=example,dc=org</baseGroupNamespace> <groupSearchFilter>(objectClass=group)</groupSearchFilter> <!-- ... remainder of server configuration ... --> </ldap> <ldap key="ldap2" name="Example Repository, NYC user tree" cache="true"> <host>ldap.example.org</host> <port>389</port> <!-- ... remainder of connection configuration ... --> <!-- user search filter --> <baseUserNamespace>cn=New York City,dc=ldap,dc=example,dc=org</baseUserNamespace> <userSearchFilter>(objectClass=user)</userSearchFilter> <!-- ... remainder of user configuration ... --> <!-- group search filter --> <baseGroupNamespace>cn=Groups,dc=ldap,dc=example,dc=org</baseGroupNamespace> <groupSearchFilter>(objectClass=nothing)</groupSearchFilter> <!-- ... remainder of server configuration ... --> </ldap> <hibernate key="hibernate" name="Hibernate Repository" description="Hibernate Repository" /> </repositories> </atlassian-user> Points to note:
Related pages |
![]() |
Document generated by Confluence on Dec 20, 2007 18:52 |