This page last changed on Jul 30, 2009 by smaddox.
Crowd provides built-in connectors for the most popular LDAP directory servers, including Microsoft Active Directory, Sun DSEE, OpenLDAP, Apache DS, and others. The full list is below.
On this page:
Summary of Configuration Steps
To configure an LDAP directory connector,
- Log in to the Crowd Administration Console.
- Click the 'Directories' link in the top navigation bar.
- The Directory Browser will appear. Click the 'Add Directory' link.
- The 'Select Directory Type' screen will appear. Click the 'Connector' button.
- The 'Details' tab will appear. See screenshot 1 below. Enter the 'Name' and 'Description' (see table of fields below), then click the 'Continue' button.
- The 'Connector' tab will appear. See screenshot 2 below. Select the relevant connector type and fill in the basic connection information for your directory server. For details, please see:
- Click the 'Test Connection' button to verify that Crowd can successfully connect to the directory.
- Click the 'Continue' button.
- The 'Configuration' tab will appear. See the configuration screenshots below. Fill in the configuration details for your groups, roles and users, as described in the tables below the configuration screenshots. Also please see LDAP Object Structures (below).
- Click the 'Test Search' button to verify that Crowd can successfully locate groups/roles/users within the directory.
- Click the 'Continue' button to configure the directory's permissions.
Configuring Directory Details
Screenshot 1: Directory details

Attribute |
Description |
Name |
The name used to identify the directory within Crowd. This is useful when there are multiple directories configured, e.g. 'Chicago Employees' or 'Web Customers'. |
Description |
Details about this specific directory. |
Active |
Only deselect this if you wish to prevent all users within the directory from accessing all mapped applications. |
Configuring Connector Details
Screenshot 2: Connector details
Attribute |
Description |
Connector |
The directory connector to use when communicating with the directory server. |
URL |
The connection URL to use when connecting to the directory server, e.g.: ldap://localhost:389, or port 636 for SSL. |
Secure SSL |
Specifies whether the connection to the directory server is an SSL connection. |
Use Node Referrals |
Use the JNDI lookup java.naming.referral option. Generally needed for Active Directory servers configured without proper DNS, to prevent a 'javax.naming.PartialResultException: Unprocessed Continuation Reference(s)' error. |
Use Nested Groups |
Enable or disable support for nested groups on the LDAP user directory. |
Use the User Membership Attribute |
Put a tick in the checkbox if your Active Directory supports the group membership attribute on the user. (By default, this is the 'memberOf' attribute.)
- If this checkbox is ticked, Crowd will use the group membership attribute on the user when retrieving the members of a given group. This will result in a more efficient retrieval.
- If this checkbox is not ticked, Crowd will use the members attribute on the group ('member' by default) for the search.
- If the 'Use Nested Groups' checkbox is ticked, Crowd will ignore the 'Use the User Membership Attribute' option and will use the members attribute on the group for the search.
|
Use 'memberOf' for Group Membership |
Put a tick in the checkbox if your Active Directory supports the 'memberOf' attribute on the user.
- If this checkbox is ticked, Crowd will use the 'memberOf' attribute when retrieving the list of groups to which a given user belongs. This will result in a more efficient search.
- If this checkbox is not ticked, Crowd will use the members attribute on the group ('member' by default) for the search.
|
Use Paged Results |
Use the LDAP control extension for simple paging of search results. Retrieves chunks of data rather than all of the search results at once. This feature may be necessary when using Microsoft Active Directory if more than 999 results are returned for any given search. |
Paged Results Size |
Enter the desired page size i.e. the maximum number of search results to be returned per page, when paged results are enabled. Defaults to 999 results. |
Use Relaxed DN Standardisation |
This setting determines how Crowd will compare DNs to determine if they are equal. See Configuring Relaxed DN Standardisation.
- If this checkbox is ticked, Crowd will do a direct, case-insensitive, string comparison. This is the default and recommended setting for Active Directory, because Active Directory guarantees the format of DNs. Using relaxed DN standardisation will result in a significant performance improvement.
- If this checkbox is not ticked, Crowd will parse the DN and then check the parsed version.
|
Enable Caching |
Put a tick in the checkbox to enable directory caching. Directory caching can provide fast recurrent access to user, group and role data for a particular directory. This can provide significant performance improvements for applications such as JIRA, which require large amounts of user information. Please read the full instructions: Configuring Caching for an LDAP Directory. |
Max Cache Elements in Memory |
This checkbox appears if 'Enable Caching' is ticked. Specify the maximum number of cache elements to be held in memory before overflowing to disk. Please read the full instructions: Configuring Caching for an LDAP Directory. |
Polling Interval |
This checkbox appears if 'Enable Caching' is ticked. Crowd will send a request to Active Directory every x seconds, where 'x' is the number specified here. Please read the full instructions: Configuring Caching for an LDAP Directory. |
Base DN |
Enter the root distinguished name to use when running queries versus the directory server, e.g.: o=acmecorp,c=com. |
User DN |
Distinguished name of the user that Crowd will use when connecting to the directory server. |
Password |
The password that Crowd will use when connecting to the directory server. |
We have shown the settings for Active Directory. For details about the settings for your specific directory server, please see:
Configuring LDAP Object and Attribute Settings
Once you have selected a connector you can modify various LDAP object and attribute settings of the specific LDAP server for users, groups and roles as shown on the screenshots below. On first setup, Crowd will provide generic default settings based on the connector selected.
When configuring your LDAP connector, if you are using non-standard object types, you will need to adjust the default filter and object type configurations. If your connector is added successfully, but you are unable to see any data when browsing your LDAP directory, it is likely that your object and filters are configured incorrectly.
User Configuration
Screenshot 3: User configuration
Attribute |
Description |
User DN |
This value is used in addition to the base DN (distinguished name) when searching and loading users. An example is ou=Users. If no value is supplied, the subtree search will start from the base DN. |
User Object Class |
This is the name of the class used for the LDAP user object. An example is user. |
User Object Filter |
The filter to use when searching user objects. |
User Name Attribute |
The attribute field to use when loading the username. Examples are cn and sAMAccountName. |
User Name RDN Attribute |
The RDN (relative distinguished name) to use when loading the username. An example is cn. The DN for each LDAP entry is composed of two parts: the RDN and the location within the LDAP directory where the record resides. The RDN is the portion of your DN that is not related to the directory tree structure. |
User First Name Attribute |
The attribute field to use when loading the user's first name. An example is givenName. |
User Last Name Attribute |
The attribute field to use when loading the user's last name. An example is sn. |
User Display Name Attribute |
The attribute field to use when loading the user's full name. An example is displayName. |
User Email Attribute |
The attribute field to use when loading the user's email address. An example is mail. |
User Group Attribute |
The attribute field to use when loading the user's groups. An example is memberOf. Please refer to the specific settings for group membership searches on the 'Connector' tab, as described above. |
User Password Attribute |
The attribute field to use when loading a user's password. An example is unicodePwd. |
Group Configuration
Screenshot 4: Group configuration
Attribute |
Description |
Group DN |
This value is used in addition to the base DN when searching and loading groups, an example is ou=Groups. If no value is supplied, the subtree search will start from the base DN. |
Group Object Class |
This is the name of the class used for the LDAP group object. Examples are groupOfUniqueNames and group. |
Group Object Filter |
The filter to use when searching group objects. An example is (objectCategory=Group). |
Group Name Attribute |
The attribute field to use when loading the group's name. An example is cn. |
Group Description Attribute |
The attribute field to use when loading the group's description. An example is description. |
Group Members Attribute |
The attribute field to use when loading the group's members. An example is member. Please refer to the specific settings for group membership searches on the 'Connector' tab, as described above. |
Role Configuration
Screenshot 5: Role configuration
Attribute |
Description |
Disable Roles |
When you create an LDAP directory connector, roles in Crowd will be disabled by default. To enable roles, remove the tick from the checkbox. You may need to click out of the checkbox (e.g. click the 'Update' button) to see the role configuration fields. Then click the 'Update' button again to apply the change.
Note: If you have enabled caching for the directory, then you cannot enable roles for that directory. Caching does not work with roles in Crowd.
 | Crowd's role-based access control could be enhanced At present, the implementation of roles in Crowd is identical to the implementation of groups. Additional development work would be needed to differentiate the functionality of roles from groups. If you would like to help us to design better role-based access control, please add a comment to the improvement request CWD-931, letting us know how you would like to see it work. |
|
Role DN |
This value is used in addition to the base DN when searching and loading roles. An example is ou=Roles. If no value is supplied, the subtree search will start from the base DN. |
Role Object Class |
This is the name of the class used for the LDAP role object. An example is group. |
Role Object Filter |
The filter to use when searching role objects. An example is (objectclass=group). |
Role Name Attribute |
The attribute field to use when loading the role's name. An example is cn. |
Role Description Attribute |
The attribute field to use when loading the role's description. An example is description. |
Role Members Attribute |
The attribute field to use when loading the role's members. An example is member. |
LDAP Object Structures
The Crowd LDAP connectors assume that all container objects (groups and roles) have the full DN to the associated member. Currently, the membership attributes on a User object are not used by Crowd; however, in the future these associations may be used to assist with performance when looking up memberships.
Supported Object Types
- groupOfUniqueNames
- inetorgperson
- posixGroup
- posixUser
 | Zimbra Mail Server User objects have been tested and are known to work with the zimbraAccount LDAP object types. |
 | Microsoft Active Directory The Active Directory LDAP connector assumes that all LDAP object types are of the default structure. Any changes to the default object structure of the User and Group objects will require a custom connector to be coded. |
Supported Attributes
Crowd's LDAP connectors support the adding and updating of the following user attributes when integrating with an LDAP server via an LDAP directory connector:
- surname
- given name
- email
- password
If you need support for additional LDAP attributes, the Crowd LDAP connector can be extended. With a license purchase, full source is available and the LDAP connectors can be modified to support any number of attributes.
Hint: An LDAP Browser
To help you identify your LDAP structure, you may find an LDAP browser useful. Take a look at our guide on using Apache Directory Studio.
Next Step
Specify the directory permissions, which allow you to restrict the way in which applications can use the directories. See Specifying Directory Permissions.
Once you have configured the directory's permissions, you have finished configuring your new directory. You can then map the directory to appropriate applications.
RELATED TOPICS
Using Apache Directory Studio for Crowd LDAP Configuration
Crowd Documentation
|