For example, you can set up a simple group configuration in Crowd for use with Confluence and other Atlassian products, while authenticating your users against the corporate LDAP directory. You can also avoid the performance issues which might result from downloading large numbers of groups from LDAP.
The diagram below gives a conceptual overview of delegated LDAP authentication. This example assumes that you have:
- The Confluence application integrated with Crowd.
- A Crowd Delegated Authentication directory called 'Employees' which contains the group 'confluence-users'.
- An LDAP directory containing all your employees and their authentication details (e.g. username and password).
Summary of Configuration Steps
To configure a Delegated Authentication directory,
- Log in to the Crowd Administration Console.
- Click the 'Directories' link in the top navigation bar.
- This will display the Directory Browser. Click the 'Add Directory' link.
- This will display the 'Select Directory Type' screen. Click the 'Delegated Authentication' button.
- This will display the 'Details' tab (see Screenshot 1 below). Enter the 'Name' and 'Description' fields, then click the 'Continue' button.
- This will display the 'Connector' tab (see Screenshot 2 below). Select the relevant connector type, and fill in the basic connection information for your directory server. For details, please see:
- Click the 'Test Connection' button to verify that Crowd can successfully connect to the directory.
- Click the 'Continue' button.
- This will display the 'Configuration' tab (see Screenshot 3 below). Fill in the configuration details for your users.
- Click the 'Test Search' button to verify that Crowd can successfully locate groups/users within the directory.
- Click the 'Continue' button to configure the directory's permissions.
Configuring Directory Details
Screenshot 1: Directory details
Attribute | Description |
---|---|
Name | The name used to identify the directory within Crowd. For example: 'Chicago Employees' or 'Web Customers'. |
Description | More information about this directory. |
Active | Only deselect this if you wish to prevent all users within the directory from accessing all mapped applications. If a directory is not marked as 'Active', it is inactive. Inactive directories:
|
Configuring Connector Details
Screenshot 2: Connector
Attribute | Description |
---|---|
Connector | The directory connector to use when communicating with the directory server. |
URL | The connection URL to use when connecting to the directory server, e.g.: |
Secure SSL | Specifies whether the connection to the directory server is an SSL connection. |
Use Node Referrals | Use the JNDI lookup java.naming.referral option. Generally needed for Active Directory servers configured without proper DNS, to prevent a 'javax.naming.PartialResultException: Unprocessed Continuation Reference(s)' error. |
Use Nested Groups | Enable or disable support for nested groups on the LDAP user directory. |
Synchronise User Details | Update users' details in Crowd from the LDAP directory each time they authenticate. |
Synchronise Group Memberships | Update users' group memberships in Crowd from the LDAP directory each time they authenticate. Note that nested groups are not imported, and that groups are not imported if there is a locally-defined group of the same name. |
Use the User Membership Attribute | This option appears only when "Synchronise Group Memberships" is checked. Put a tick in the checkbox if your Active Directory supports the group membership attribute on the user. (By default, this is the 'memberOf' attribute.)
|
Base DN | Enter the root distinguished name to use when running queries versus the directory server, e.g.: |
User DN | Distinguished name of the user that Crowd will use when connecting to the directory server. |
Password | The password that Crowd will use when connecting to the directory server. |
We have shown the settings for Active Directory. For details about the settings for your specific directory server, please see:
- Apache Directory Server (ApacheDS)
- Apple Open Directory
- Fedora Directory Server
- Generic LDAP Directories
- Microsoft Active Directory
- Novell eDirectory
- OpenDS
- OpenLDAP
- OpenLDAP Using Posix Schema
- Posix Schema for LDAP
- Sun Directory Server Enterprise Edition (DSEE)
Configuring LDAP Object and Attribute Settings
Screenshot 3: User configuration
Attribute | Description |
---|---|
User DN | This value is used in addition to the base DN (distinguished name) when searching and loading users. An example is |
User Object Class | This is the name of the class used for the LDAP user object. An example is |
User Object Filter | The filter to use when searching user objects. |
User Name Attribute | The attribute field to use when loading the username. Examples are |
User Name RDN Attribute | The RDN (relative distinguished name) to use when loading the username. An example is |
User First Name Attribute | The attribute field to use when loading the user's first name. An example is |
User Last Name Attribute | The attribute field to use when loading the user's last name. An example is |
User Display Name Attribute | The attribute field to use when loading the user's full name. An example is |
User Email Attribute | The attribute field to use when loading the user's email address. An example is |
User Group Attribute | The attribute field to use when loading the user's groups. An example is |
User Password Attribute | The attribute field to use when loading a user's password. An example is |
Screenshot 4: Group configuration
Attribute | Description |
---|---|
Group DN | This value is used in addition to the base DN when searching and loading groups, an example is ou=Groups. If no value is supplied, the subtree search will start from the base DN. |
Group Object Class | This is the name of the class used for the LDAP group object. Examples are |
Group Object Filter | The filter to use when searching group objects. An example is |
Group Name Attribute | The attribute field to use when loading the group's name. An example is |
Group Description Attribute | The attribute field to use when loading the group's description. An example is |
Group Members Attribute | The attribute field to use when loading the group's members. An example is |
Please refer to the notes on LDAP object structures in the page about LDAP connectors.
Next Steps
Once you have configured the directory's permissions, you have finished configuring your new directory.
Next steps will be:
- Map the directory to the appropriate applications.
- Consider how you would like to add your users to Crowd's Delegated Authentication directory. There are a few options:
- Manually add the users to the Crowd directory.
- Use Crowd's Directory importer to copy your LDAP users into your Delegated Authentication directory.
- Let Crowd do it for you, at login time. If a user logs in successfully via LDAP authentication but does not yet exist in Crowd, Crowd will automatically add them to the Delegated Authentication directory. You will then need to add the user to any necessary groups, to allow them to access applications where group membership is required. If you have enabled the "Synchronise Group Memberships" option, groups and group memberships from LDAP will be automatically imported each time a user authenticates.
RELATED TOPICS
Attachments:








