This page last changed on Nov 30, 2010 by smaddox.

Crowd provides built-in connectors for the most popular LDAP directory servers, including Microsoft Active Directory, Sun DSEE, OpenLDAP, Apache DS, and others.

On this page:

Summary of Configuration Steps

To configure an LDAP directory connector,

  1. Log in to the Crowd Administration Console.
  2. Click the 'Directories' link in the top navigation bar.
  3. The Directory Browser will appear. Click the 'Add Directory' link.
  4. The 'Select Directory Type' screen will appear. Click the 'Connector' button.
  5. The 'Details' tab will appear. See screenshot 1 below. Enter the 'Name' and 'Description' (see table of fields below).
  6. We recommend that you leave 'Cache Enabled' at its default setting (enabled). For more information, see Configuring Caching for an LDAP Directory.
  7. Click the 'Connector' tab. See screenshot 2 below.
  8. Select the relevant connector type and fill in the basic connection information for your directory server. For details, see:
  9. Click the 'Test Connection' button to verify that Crowd can successfully connect to the directory.
  10. Click the 'Configuration' tab. See the configuration screenshots below.
  11. Fill in the configuration details for your groups and users, as described in the tables below the configuration screenshots. Also please see LDAP Object Structures below.
  12. Click the 'Test Search' button to verify that Crowd can successfully locate groups and users within the directory.
  13. Click the 'Permissions' tab to configure the directory's permissions.

Configuring Directory Details

Screenshot 1: Directory details

Attribute Description
Name The name used to identify the directory within Crowd. This is useful when there are multiple directories configured, e.g. 'Chicago Employees' or 'Web Customers'.
Description Details about this specific directory.
Cache Enabled We recommend that you turn on LDAP caching. For more information, see Configuring Caching for an LDAP Directory.
Active Only deselect this if you wish to prevent all users within the directory from accessing all mapped applications. If a directory is not marked as 'Active', it is inactive. Inactive directories:
  • are not included when searching for users, groups or memberships.
  • are still displayed in the Crowd Administration Console screens.

Configuring Connector Details

Screenshot 2: Connector details



Attribute Description
Connector The directory connector to use when communicating with the directory server.
URL The connection URL to use when connecting to the directory server. The URL for Microsoft Active Directory should be in the following format: ldap://domainname:port. Examples:
Plain connection: ldap://localhost:389
SSL connection: ldaps://localhost:636
Secure SSL Specifies whether the connection to the directory server is an SSL connection. Please ensure that you have followed the instructions to configure an SSL Certificate before enabling this setting.
Use Node Referrals Use the JNDI lookup java.naming.referral option. Generally needed for Active Directory servers configured without proper DNS, to prevent a 'javax.naming.PartialResultException: Unprocessed Continuation Reference(s)' error.
Use Nested Groups Enable or disable support for nested groups on the LDAP user directory.
Use the User Membership Attribute Put a tick in the checkbox if your Active Directory supports the group membership attribute on the user. (By default, this is the 'memberOf' attribute.)
  • If this checkbox is ticked, Crowd will use the group membership attribute on the user when retrieving the members of a given group. This will result in a more efficient retrieval.
  • If this checkbox is not ticked, Crowd will use the members attribute on the group ('member' by default) for the search.
  • If the 'Use Nested Groups' checkbox is ticked, Crowd will ignore the 'Use the User Membership Attribute' option and will use the members attribute on the group for the search.
Use 'memberOf' for Group Membership Put a tick in the checkbox if your Active Directory supports the 'memberOf' attribute on the user.
  • If this checkbox is ticked, Crowd will use the 'memberOf' attribute when retrieving the list of groups to which a given user belongs. This will result in a more efficient search.
  • If this checkbox is not ticked, Crowd will use the members attribute on the group ('member' by default) for the search.
Use Paged Results Use the LDAP control extension for simple paging of search results. Retrieves chunks of data rather than all of the search results at once. This feature may be necessary when using Microsoft Active Directory if more than 999 results are returned for any given search.
Paged Results Size Enter the desired page size i.e. the maximum number of search results to be returned per page, when paged results are enabled. Defaults to 999 results.
Use Naive DN Matching This setting determines how Crowd will compare DNs to determine if they are equal. See Using Naive DN Matching.
  • If this checkbox is ticked, Crowd will do a direct, case-insensitive, string comparison. This is the default and recommended setting for Active Directory, because Active Directory guarantees the format of DNs. Using relaxed DN standardisation will result in a significant performance improvement.
  • If this checkbox is not ticked, Crowd will parse the DN and then check the parsed version.
Polling Interval Crowd will send a request to Active Directory every x minutes, where 'x' is the number specified here. Please read the full instructions: Configuring Caching for an LDAP Directory.
Read Timeout The time, in seconds, to wait for a response to be received. If there is no response within the specified time period, the read attempt will be aborted. A value of 0 (zero) means there is no limit.
Search Timeout The time, in seconds, to wait for a response from a search operation. A value of 0 (zero) means there is no limit.
Connection Timeout The time, in seconds, to wait when opening new server connections. If not specified, the TCP network timeout will be used, which may be several minutes.
Base DN Enter the root distinguished name to use when running queries versus the directory server. Examples:
o=acmecorp,c=com
cn=users,dc=ad,dc=acmecorp,dc=com
For Microsoft Active Directory, specify the Base DN in the following format: dc=domain1,dc=local. You will need to replace the domain1 and local for your specific configuration. Microsoft Server provides a tool called ldp.exe which is useful for finding out and configuring the the LDAP structure of your server.
User DN Distinguished name of the user that Crowd will use when connecting to the directory server. For example: cn=administrator,cn=users,dc=ad,dc=acmecorp,dc=com
Password The password of the user specified above.

Note: You can also configure site-wide LDAP connection pool settings. See Configuring the LDAP Connection Pool.


We have shown the settings for Active Directory. For details about the settings for your specific directory server, please see:

Configuring LDAP Object and Attribute Settings

Once you have selected a connector you can modify various LDAP object and attribute settings of the specific LDAP server for users and groups as shown on the screenshots below. On first setup, Crowd will provide generic default settings based on the connector selected.

When configuring your LDAP connector, if you are using non-standard object types, you will need to adjust the default filter and object type configurations. If your connector is added successfully, but you are unable to see any data when browsing your LDAP directory, it is likely that your object and filters are configured incorrectly.

User Configuration

Screenshot 3: User configuration


Attribute Description
User DN This value is used in addition to the base DN (distinguished name) when searching and loading users. An example is ou=Users. If no value is supplied, the subtree search will start from the base DN.
User Object Class This is the name of the class used for the LDAP user object. An example is user.
User Object Filter The filter to use when searching user objects.
User Name Attribute The attribute field to use when loading the username. Examples are cn and sAMAccountName.
User Name RDN Attribute The RDN (relative distinguished name) to use when loading the username. An example is cn. The DN for each LDAP entry is composed of two parts: the RDN and the location within the LDAP directory where the record resides. The RDN is the portion of your DN that is not related to the directory tree structure.
User First Name Attribute The attribute field to use when loading the user's first name. An example is givenName.
User Last Name Attribute The attribute field to use when loading the user's last name. An example is sn.
User Display Name Attribute The attribute field to use when loading the user's full name. An example is displayName.
User Email Attribute The attribute field to use when loading the user's email address. An example is mail.
User Group Attribute The attribute field to use when loading the user's groups. An example is memberOf. Please refer to the specific settings for group membership searches on the 'Connector' tab, as described above.
User Password Attribute The attribute field to use when loading a user's password. An example is unicodePwd.

Group Configuration

Screenshot 4: Group configuration


Attribute Description
Group DN This value is used in addition to the base DN when searching and loading groups, an example is ou=Groups. If no value is supplied, the subtree search will start from the base DN.
Group Object Class This is the name of the class used for the LDAP group object. Examples are groupOfUniqueNames and group.
Group Object Filter The filter to use when searching group objects. An example is (objectCategory=Group).
Group Name Attribute The attribute field to use when loading the group's name. An example is cn.
Group Description Attribute The attribute field to use when loading the group's description. An example is description.
Group Members Attribute The attribute field to use when loading the group's members. An example is member. Please refer to the specific settings for group membership searches on the 'Connector' tab, as described above.

Role Configuration

Screenshot 5: Role configuration


Attribute Description
Disable Roles When you create an LDAP directory connector, roles in Crowd will be disabled by default. To enable roles, remove the tick from the checkbox. You may need to click out of the checkbox (e.g. click the 'Update' button) to see the role configuration fields. Then click the 'Update' button again to apply the change.

As previously announced, roles are now deprecated in Crowd. We have not changed the functionality of roles in Crowd 2.1, but we do recommend that you move away from the use of roles in your Crowd installation so that you will not be adversely affected by the planned redesign of role functionality. Roles are disabled by default when you create a new LDAP directory. We recommend that you leave roles disabled, unless you have existing data that includes roles.

At present, the implementation of roles in Crowd is identical to the implementation of groups. This design does not provide much useful functionality, so we are planning to redesign the way Crowd supports roles. If you would like to help us to design better role-based access control, please add a comment to the improvement request CWD-931, letting us know how you would like to see it work.

Role DN This value is used in addition to the base DN when searching and loading roles. An example is ou=Roles. If no value is supplied, the subtree search will start from the base DN.
Role Object Class This is the name of the class used for the LDAP role object. An example is group.
Role Object Filter The filter to use when searching role objects. An example is (objectclass=group).
Role Name Attribute The attribute field to use when loading the role's name. An example is cn.
Role Description Attribute The attribute field to use when loading the role's description. An example is description.
Role Members Attribute The attribute field to use when loading the role's members. An example is member.

LDAP Object Structures

The Crowd LDAP connectors assume that all container objects (groups and roles) have the full DN to the associated member. Currently, the membership attributes on a User object are not used by Crowd; however, in the future these associations may be used to assist with performance when looking up memberships.

Supported Object Types
  • groupOfUniqueNames
  • inetorgperson
  • posixGroup
  • posixUser
Zimbra Mail Server
User objects have been tested and are known to work with the zimbraAccount LDAP object types.


Microsoft Active Directory
The Active Directory LDAP connector assumes that all LDAP object types are of the default structure. Any changes to the default object structure of the User and Group objects will require a custom connector to be coded.
Supported Attributes

Crowd's LDAP connectors support the adding and updating of the following user attributes when integrating with an LDAP server via an LDAP directory connector:

  • surname
  • given name
  • email
  • password

If you need support for additional LDAP attributes, the Crowd LDAP connector can be extended. With a license purchase, full source is available and the LDAP connectors can be modified to support any number of attributes.

Hint: An LDAP Browser

To help you identify your LDAP structure, you may find an LDAP browser useful. Take a look at our guide on using Apache Directory Studio.

Supported Directories

Crowd supports the following LDAP directories:

Next Step

Specify the directory permissions, which allow you to restrict the way in which applications can use the directories. See Specifying Directory Permissions.

Once you have configured the directory's permissions, you have finished configuring your new directory. You can then map the directory to appropriate applications.

RELATED TOPICS

Using Apache Directory Studio for LDAP Configuration
Crowd Documentation


Document generated by Confluence on Nov 30, 2010 23:53