This page last changed on May 08, 2008 by smaddox.

Crowd provides built-in connectors for the most popular LDAP directory servers (Microsoft Active Directory, SunONE/DSEE, OpenLDAP, Apache Directory). These LDAP connectors enable you to quickly integrate existing desktop logins with web applications.

Summary of Configuration Steps

To configure an LDAP directory connector,

  1. Log in to the Crowd Administration Console.
  2. Click the 'Directories' link in the top navigation bar.
  3. This will display the Directory Browser. Click the 'Add Directory' link.
  4. This will display the 'Select Directory Type' screen. Click the 'Connector' button.
  5. This will display the 'Details' tab (see Screenshot 1 below). Enter the 'Name' and 'Description' fields (see table below), then click the 'Continue' button.
  6. This will display the 'Connector' tab (see Screenshot 2 below). Select the relevant connector type, and fill in the basic connection information for your directory server. For details, please see:
  7. Click the 'Test Connection' button to verify that Crowd can successfully connect to the directory.
  8. Click the 'Continue' button.
  9. This will display the 'Configuration' tab (see Screenshot 3 below). Fill in the configuration details for your groups, roles and users, as described in the tables below Screenshot 3. Also please see LDAP Object Structures (below).
  10. Click the 'Test Search' button to verify that Crowd can successfully locate groups/roles/users within the directory.
  11. Click the 'Continue' button to configure the directory's permissions.

Configuring Directory Details

Screenshot 1: Directory details

Attribute Description
Name The name used to identify the directory within Crowd. This is useful when there are multiple directories configured, e.g. 'Chicago Employees' or 'Web Customers'.
Description Details about this specific directory.
Active Only deselect this if you wish to prevent all users within the directory from accessing all mapped applications.

Configuring Connector Details

Screenshot 2: Connector



Attribute Description
Connector The directory connector to use when communicating with the directory server.
URL The connection URL to use when connecting to the directory server, e.g.: ldap://localhost:389, or port 636 for SSL.
Secure SSL Specifies whether the connection to the directory server is an SSL connection.
Use Node Referrals Use the JNDI lookup java.naming.referral option. Generally needed for Active Directory servers configured without proper DNS, to prevent a 'javax.naming.PartialResultException: Unprocessed Continuation Reference(s)' error.
Use Paged Results Use the LDAP control extension for simple paging of search results. Retrieves chunks of data rather than all of the search results at once. This feature may be necessary when using Microsoft Active Directory if more than 999 results are returned for any given search.
Paged Results Size Enter the desired page size i.e. the maximum number of search results to be returned per page, when paged results are enabled. Defaults to 999 results. This option is available from Crowd 1.1.1.
Base DN Enter the root distinguished name to use when running queries versus the directory server, e.g.: o=acmecorp,c=com.
User DN Distinguished name of the user that Crowd will use when connecting to the directory server.
Password The password that Crowd will use when connecting to the directory server.


We have shown the settings for Active Directory. For details about the settings for your specific directory server, please see:

Configuring LDAP Object and Attribute Settings

Screenshot 3: Configuration


Once you have selected a connector you can modify various LDAP object and attribute settings of the specific LDAP server, as shown on the screenshot above. On first setup, Crowd will provide generic default settings, based on the connector selected.

When configuring your LDAP connector, if you are using non-standard object types, you will need to adjust the default filter and object type configurations. Default values are configured for the predefined LDAP servers. If your connector is added successfully, but you are unable to see any data when browsing your LDAP directory, it is likely that your object and filters are configured incorrectly.

Group Configuration

Attribute Description
Group DN This value is used in addition to the base DN when searching and loading groups, an example is ou=Groups. If no value is supplied, the subtree search will start from the base DN.
Group Object Class This is the name of the class used for the LDAP group object. For example, groupOfUniqueNames.
Group Object Filter The filter to use when searching group objects.
Group Name Attribute The attribute field to use when loading the group's name.
Group Description Attribute The attribute field to use when loading the group's description.
Group Members Attribute The attribute field to use when loading the group's members.

Role Configuration

Attribute Description
Role DN This value is used in addition to the base DN when searching and loading roles, an example is ou=Roles. If no value is supplied, the subtree search will start from the base DN.
Role Object Class This is the name of the class used for the LDAP role object.
Role Object Filter The filter to use when searching role objects.
Role Name Attribute The attribute field to use when loading the role's name.
Role Description Attribute The attribute field to use when loading the role's description.
Role Members Attribute The attribute field to use when loading the role's members.

User Configuration

Attribute Description
User DN This value is used in addition to the base DN when searching and loading users, an example is ou=Users. If no value is supplied, the subtree search will start from the base DN.
User Object Class The LDAP user object class type to use when loading users.
User Object Filter The filter to use when searching user objects.
User Name The attribute field to use when loading the username.
User First Name
The attribute field to use when loading the user's first name.
User Last Name
The attribute field to use when loading the user's last name.
User Email
The attribute field to use when loading the user's email.
User Group
The attribute field to use when loading the user's groups.
User Password
The attribute field to use when manipulating a user's password.

LDAP Object Structures

The Crowd LDAP connectors assume that all container objects (groups and roles) have the full DN to the associated member. Currently, the membership attributes on a User object are not used by Crowd; however, in the future these associations may be used to assist with performance when looking up memberships.

To help you identify your LDAP structure, JXplorer is a free tool that allows you to browse your LDAP tree.
Supported Object Types
  • groupOfUniqueNames
  • inetorgperson
  • posixGroup
  • posixUser

Zimbra Mail Server
User objects have been tested and are known to work with the zimbraAccount LDAP object types.

Microsoft Active Directory
The Active Directory LDAP connector assumes that all LDAP object types are of the default structure. Any changes to the default object structure of the User and Group objects will require a custom connector to be coded.
Supported Attributes

Crowd's LDAP connectors support the adding and updating of the following user attributes when integrating with an LDAP server via an LDAP directory connector:

  • surname
  • given name
  • email
  • password

If you need support for additional LDAP attributes, the Crowd LDAP connector can be extended. With a license purchase, full source is available and the LDAP connectors can be modified to support any number of attributes.

Next Step

Specify the directory permissions, which allow you to restrict the way in which applications can use the directories. See Specifying Directory Permissions.

Once you have configured the directory's permissions, you have finished configuring your new directory. You can then map the directory to appropriate applications.

RELATED TOPICS

Crowd Documentation


Document generated by Confluence on May 08, 2008 19:36