This page last changed on Jun 18, 2007 by rosie@atlassian.com.
Crowd provides built-in connectors for the most popular LDAP directory servers (Microsoft Active Directory, SunONE, OpenLDAP, Apache Directory). These LDAP connectors enable you to quickly integrate existing desktop logins with web-applications.
To configure an LDAP Directory Connector,
- Login to the Crowd Administration Console.
- Click the 'Directories' link in the top navigation bar.
- This will display the Directory Browser. Click the 'Add Directory' link.
- This will display the 'Select Directory Type' screen. Click the 'Connector' button.
- This will display the 'Details' tab (see Screenshot 1 below). Enter the 'Name' and 'Description' fields (see table below), then click the 'Continue' button.
- This will display the 'Connector' tab (see Screenshot 2 below). Select the relevant connector type, and fill in the basic connection information for your directory server. For details, please see:
- Click the 'Test Connection' button to verify that Crowd can successfully connect to the directory.
- Click the 'Continue' button.
- This will display the 'Configuration' tab (see Screenshot 3 below). Fill in the configuration details for your groups, roles and principals (users), as described in the tables below Screenshot 3. Also please see LDAP Object Structures (below).
- Click the 'Test Search' button to verify that Crowd can successfully locate groups/roles/principals within the directory.
- Click the 'Continue' button to configure the directory's permissions.
Once you have configured the directory's permissions, you will have finished configuring your new directory. You can then map the directory to appropriate applications.
Screenshot 1: 'Details'

Attribute |
Description |
Name |
The name used to identify the directory within Crowd. This is useful when there are multiple directories configured, e.g. 'Chicago Employees' or 'Web Customers'. |
Description |
Details about this specific directory. |
Active |
Only deselect this if you wish to prevent all users ('principals') within the directory from accessing all mapped applications. |
Screenshot 2: 'Connector' 
Attribute |
Description |
Connector |
The directory connector to use when communicating with the directory server. |
URL |
The connection URL to use when connecting to the directory server, e.g.: ldap://localhost:389, or port 639 for SSL. |
Secure SSL |
Specifies if the connection to the directory server is a SSL connection. |
Use Node Referrals |
Use the JNDI lookup java.naming.referral option. Generally needed for Active Directory servers configured without proper DNS, to prevent a 'javax.naming.PartialResultException: Unprocessed Continuation Reference(s)' error. |
Use Paged Results |
Use the LDAP control extension for simple paged results option. Retrieves chunks of data rather than all of the results at once. This feature may be necessary when using Microsoft Active Directory if more than 999 results are returned for any given search. |
Base DN |
Enter the root distinguished name to use when running queries versus the directory server, e.g.: o=acmecorp,c=com. |
User DN |
The username that Crowd will use when connecting to the directory server. |
Password |
The password that Crowd will use when connecting to the directory server. |
For details about the settings for your specific directory server, please see:
 | To help you identify your LDAP structure, JXplorer is a free tool that allows you to browse your LDAP tree. |
Screenshot 3: 'Configuration'

Once you have selected a Connector, various LDAP object and attribute settings of the specific LDAP server may be modified. Generic default settings have been provided based on the Connector selected.
When configuring your LDAP connector, if you are using non-standard object types, you will need to adjust the default filter and object type configurations. Default values are configured for the predefined LDAP servers. If your connector is added successfully, but you are unable to see any data when browsing your LDAP directory, it is likely that your object and filters are configured incorrectly.
Group Configuration
Attribute |
Description |
Group DN |
This value is used in addition to the base DN when searching and loading groups, an example is ou=Groups. If no value is supplied, the subtree search will start from the base DN. |
Group Object Class |
This value is used in addition to the base DN when searching and loading groups, an example is ou=Groups. If no value is supplied, the subtree search. |
Group Object Filter |
The filter to use when searching group objects. |
Group Name Attribute |
The attribute field to use when loading the group's name. |
Group Desciption Attribute |
The attribute field to use when loading the group's description. |
Group Members Attribute |
The attribute field to use when loading the group's members. |
Role Configuration
Attribute |
Description |
Role DN |
This value is used in addition to the base DN when searching and loading roles, an example is ou=Roles. If no value is supplied, the subtree search will start from the base DN. |
Role Object Class |
This value is used in addition to the base DN when searching and loading roles, an example is ou=Roles. If no value is supplied, the subtree search. |
Role Object Filter |
The filter to use when searching role objects. |
Role Name Attribute |
The attribute field to use when loading the role's name. |
Role Desciption Attribute |
The attribute field to use when loading the role's description. |
Role Members Attribute |
The attribute field to use when loading the role's members. |
Principal Configuration
(In Crowd, users are known as principals.)
Attribute |
Description |
User DN |
This value is used in addition to the base DN when searching and loading users, an example is ou=Users. If no value is supplied, the subtree search will start from the base DN. |
User Object Class |
The LDAP user object class type to use when loading principals. |
User Object Filter |
The filter to use when searching user objects. |
User Name |
The attribute field to use when loading the principal's username. |
User First Name |
The attribute field to use when loading the principal's first name. |
User Last Name |
The attribute field to use when loading the principal's last name. |
User Email |
The attribute field to use when loading the principal's email. |
User Group |
The attribute field to use when loading the principal's groups. |
User Password |
The attribute field to use when manipulating a principal's password. |
 | Only the User First Name, User Last Name and User Email attributes can be updated via the Crowd LDAP connectors. With a license purchase, full source is available and the LDAP connectors can be modified to support any number of attributes. |
LDAP Object Structures
The Crowd LDAP connectors assume that all container objects (groups and roles) have the full DN to the associated member. Currently, the membership attributes on a Principal object are not used by Crowd; however, in the future these associations may be used to assist with performance when looking up memberships.
Supported Object Types:
- groupOfUniqueNames
- inetorgperson
Non-supported Object types:
The following object types are not supported because of the required guiNumber attribute.
- posixGroup
- posixUser
 | Zimbra Mail Server Principal objects have been tested and are known to work with the zimbraAccount LDAP object types. |
 | Microsoft Active Directory: The Active Directory LDAP connector assumes that all LDAP object types are of the default structure. Any changes to the default object structure of the User and Group objects will require a custom connector to be coded. |
Next Step:
See 2.3 Specifying Directory Permissions
Related Topics
Crowd Documentation
|