This page last changed on Jul 27, 2008 by smaddox.
A Delegated Authentication directory combines the features of an internal Crowd directory with delegated LDAP authentication. This means that you can have your users authenticated via an external LDAP directory while managing the users, groups and roles in Crowd. You can use Crowd's flexible and simple group management when the LDAP groups do not suit your requirements.
For example, you can set up a simple group configuration in Crowd for use with Confluence and other Atlassian products, while authenticating your users against the corporate LDAP directory. You can also avoid the performance issues which might result from downloading large numbers of groups from LDAP.
The diagram below gives a conceptual overview of delegated LDAP authentication. This example assumes that you have:
- The Confluence application integrated with Crowd.
- A Crowd Delegated Authentication directory called 'Employees' which contains the group 'confluence-users'.
- An LDAP directory containing all your employees and their authentication details (e.g. username and password).

Summary of Configuration Steps
To configure a Delegated Authentication directory,
- Log in to the Crowd Administration Console.
- Click the 'Directories' link in the top navigation bar.
- This will display the Directory Browser. Click the 'Add Directory' link.
- This will display the 'Select Directory Type' screen. Click the 'Delegated Authentication' button.
- This will display the 'Details' tab (see Screenshot 1 below). Enter the 'Name' and 'Description' fields, then click the 'Continue' button.
- This will display the 'Connector' tab (see Screenshot 2 below). Select the relevant connector type, and fill in the basic connection information for your directory server. For details, please see:
- Click the 'Test Connection' button to verify that Crowd can successfully connect to the directory.
- Click the 'Continue' button.
- This will display the 'Configuration' tab (see Screenshot 3 below). Fill in the configuration details for your users.
- Click the 'Continue' button to configure the directory's permissions.
Configuring Directory Details
Screenshot 1: Directory details

Attribute |
Description |
Name |
The name used to identify the directory within Crowd. For example: 'Chicago Employees' or 'Web Customers'. |
Description |
More information about this directory. |
Active |
Only deselect this if you wish to prevent all users within the directory from accessing all mapped applications. |
Configuring Connector Details
Screenshot 2: Connector

Attribute |
Description |
Connector |
The directory connector to use when communicating with the directory server. |
URL |
The connection URL to use when connecting to the directory server, e.g.: ldap://localhost:389, or port 636 for SSL. |
Secure SSL |
Specifies whether the connection to the directory server is an SSL connection. |
Use Node Referrals |
Use the JNDI lookup java.naming.referral option. Generally needed for Active Directory servers configured without proper DNS, to prevent a 'javax.naming.PartialResultException: Unprocessed Continuation Reference(s)' error. |
Use Nested Groups |
Enable or disable support for nested groups on the LDAP user directory. |
Use Paged Results |
Use the LDAP control extension for simple paging of search results. Retrieves chunks of data rather than all of the search results at once. This feature may be necessary when using Microsoft Active Directory if more than 999 results are returned for any given search. |
Paged Results Size |
Enter the desired page size i.e. the maximum number of search results to be returned per page, when paged results are enabled. Defaults to 999 results. |
Base DN |
Enter the root distinguished name to use when running queries versus the directory server, e.g.: o=acmecorp,c=com. |
User DN |
Distinguished name of the user that Crowd will use when connecting to the directory server. |
Password |
The password that Crowd will use when connecting to the directory server. |
We have shown the settings for Active Directory. For details about the settings for your specific directory server, please see:
Configuring LDAP Object and Attribute Settings
Screenshot 3: Configuration

Attribute |
Description |
User DN |
This value is used in addition to the base DN when searching and loading users. An example is ou=Users. If no value is supplied, the subtree search will start from the base DN. |
User Object Class |
This is the name of the class used for the LDAP user object. |
User Object Filter |
The filter to use when searching user objects. |
User Name Attribute |
The attribute field to use when loading the username. |
User First Name Attribute |
The attribute field to use when loading the user's first name. |
User Last Name Attribute |
The attribute field to use when loading the user's last name. |
User Email Attribute |
The attribute field to use when loading the user's email address. |
User Group Attribute |
The attribute field to use when loading the user's groups. |
User Password Attribute |
The attribute field to use when loading a user's password. |
Please refer to the notes on LDAP object structures in the page about LDAP connectors.
Next Steps
Once you have configured the directory's permissions, you have finished configuring your new directory.
Next steps will be:
- Map the directory to the appropriate applications.
- Consider how you would like to add your users to Crowd's Delegated Authentication directory. There are a few options:
- Manually add the users to the Crowd directory.
- Use Crowd's Directory importer to copy your LDAP users into your Delegated Authentication directory.
- Let Crowd do it for you, at login time. If a user logs in successfully via LDAP authentication but does not yet exist in Crowd, Crowd will automatically add them to the Delegated Authentication directory. You will then need to add the user to any necessary groups, to allow them to access applications where group membership is required.
 | Things to be aware of
|
RELATED TOPICS
Crowd Documentation
|