Crowd 2.6 : Configuring an LDAP Directory Connector

Crowd provides built-in connectors for the most popular LDAP directory servers, including Microsoft Active Directory, Sun DSEE, OpenLDAP, Apache DS, and others.

On this page:

Summary of Configuration Steps

To configure an LDAP directory connector,

  1. Log in to the Crowd Administration Console.
  2. Click the 'Directories' link in the top navigation bar.
  3. The Directory Browser will appear. Click the 'Add Directory' link.
  4. The 'Select Directory Type' screen will appear. Click the 'Connector' button.
  5. The 'Details' tab will appear. See screenshot 1 below. Enter the 'Name' and 'Description' (see table of fields below).
  6. We recommend that you leave 'Cache Enabled' at its default setting (enabled). For more information, see Configuring Caching for an LDAP Directory.
  7. Click the 'Connector' tab. See screenshot 2 below.
  8. Select the relevant connector type and fill in the basic connection information for your directory server. For details, see:
  9. Click the 'Test Connection' button to verify that Crowd can successfully connect to the directory.
  10. Click the 'Configuration' tab. See the configuration screenshots below.
  11. Fill in the configuration details for your groups and users, as described in the tables below the configuration screenshots. Also please see LDAP Object Structures below.
  12. Click the 'Test Search' button to verify that Crowd can successfully locate groups and users within the directory.
  13. Click the 'Permissions' tab to configure the directory's permissions.

Configuring Directory Details

Screenshot 1: Directory details

Attribute

Description

Name

The name used to identify the directory within Crowd. This is useful when there are multiple directories configured, e.g. 'Chicago Employees' or 'Web Customers'.

Description

Details about this specific directory.

Cache Enabled

We recommend that you turn on LDAP caching. For more information, see Configuring Caching for an LDAP Directory.

Active

Only deselect this if you wish to prevent all users within the directory from accessing all mapped applications. If a directory is not marked as 'Active', it is inactive. Inactive directories:

  • are not included when searching for users, groups or memberships.
  • are still displayed in the Crowd Administration Console screens.

Configuring Connector Details

Screenshot 2: Connector details

Attribute

Description

Connector

The directory connector to use when communicating with the directory server.

URL

The connection URL to use when connecting to the directory server. The URL for Microsoft Active Directory should be in the following format: ldap://domainname:port. Examples:
Plain connection: ldap://localhost:389
SSL connection: ldaps://localhost:636

Secure SSL

Specifies whether the connection to the directory server is an SSL connection. Please ensure that you have followed the instructions to configure an SSL Certificate before enabling this setting.

Use Node Referrals

Use the JNDI lookup java.naming.referral option. Generally needed for Active Directory servers configured without proper DNS, to prevent a 'javax.naming.PartialResultException: Unprocessed Continuation Reference(s)' error.

Manage Groups LocallyEnable or disable support for local groups. If local groups are enabled, new groups are created and updated in the Crowd database and not propagated to the LDAP server. Memberships of local groups are also stored locally. This makes it possible to augment the group structure with new groups even with a read-only LDAP server. When this option is enabled, only local groups can be created and updated, while groups synchronised from the remote directory cannot be locally modified.

Use Nested Groups

Enable or disable support for nested groups on the LDAP user directory.

Use the User Membership Attribute

Put a tick in the checkbox if your Active Directory supports the group membership attribute on the user. (By default, this is the 'memberOf' attribute.)

  • If this checkbox is ticked, Crowd will use the group membership attribute on the user when retrieving the members of a given group. This will result in a more efficient retrieval.
  • If this checkbox is not ticked, Crowd will use the members attribute on the group ('member' by default) for the search.
  • If the 'Use Nested Groups' checkbox is ticked, Crowd will ignore the 'Use the User Membership Attribute' option and will use the members attribute on the group for the search.

Use 'memberOf' for Group Membership

Put a tick in the checkbox if your Active Directory supports the 'memberOf' attribute on the user.

  • If this checkbox is ticked, Crowd will use the 'memberOf' attribute when retrieving the list of groups to which a given user belongs. This will result in a more efficient search.
  • If this checkbox is not ticked, Crowd will use the members attribute on the group ('member' by default) for the search.

Use Paged Results

Use the LDAP control extension for simple paging of search results. Retrieves chunks of data rather than all of the search results at once. This feature may be necessary when using Microsoft Active Directory if more than 999 results are returned for any given search.

Paged Results Size

Enter the desired page size i.e. the maximum number of search results to be returned per page, when paged results are enabled. Defaults to 999 results.

Use Naive DN Matching

This setting determines how Crowd will compare DNs to determine if they are equal. See Using Naive DN Matching.

  • If this checkbox is ticked, Crowd will do a direct, case-insensitive, string comparison. This is the default and recommended setting for Active Directory, because Active Directory guarantees the format of DNs. Using naive DN matching will result in a significant performance improvement.
  • If this checkbox is not ticked, Crowd will parse the DN and then check the parsed version.

Enable Incremental Sync

Crowd supports retrieving only changes made after last synchronisation when connecting to Active Directory.

  • If this checkbox is ticked, Crowd will, when possible, only retrieve changes made after the last synchronisation. This is the default and recommended setting for Active Directory.
  • If this checkbox is not ticked, Crowd will retrieve the whole dataset on every synchronisation round.

Polling Interval

Crowd will send a request to Active Directory every x minutes, where 'x' is the number specified here. Please read the full instructions: Configuring Caching for an LDAP Directory.

Read Timeout

The time, in seconds, to wait for a response to be received. If there is no response within the specified time period, the read attempt will be aborted. A value of 0 (zero) means there is no limit.

Search Timeout

The time, in seconds, to wait for a response from a search operation. A value of 0 (zero) means there is no limit.

Connection Timeout

The time, in seconds, to wait when opening new server connections. If not specified, the TCP network timeout will be used, which may be several minutes.

Base DN

Enter the root distinguished name to use when running queries versus the directory server. Examples:
o=acmecorp,c=com
cn=users,dc=ad,dc=acmecorp,dc=com
For Microsoft Active Directory, specify the Base DN in the following format: dc=domain1,dc=local. You will need to replace the domain1 and local for your specific configuration. Microsoft Server provides a tool called ldp.exe which is useful for finding out and configuring the the LDAP structure of your server.

User DN

Distinguished name of the user that Crowd will use when connecting to the directory server. For example: cn=administrator,cn=users,dc=ad,dc=acmecorp,dc=com

Password

The password of the user specified above.

Note: You can also configure site-wide LDAP connection pool settings. See Configuring the LDAP Connection Pool.

(info) We have shown the settings for Active Directory. For details about the settings for your specific directory server, please see:

Configuring LDAP Object and Attribute Settings

Once you have selected a connector you can modify various LDAP object and attribute settings of the specific LDAP server for users and groups as shown on the screenshots below. On first setup, Crowd will provide generic default settings based on the connector selected.

When configuring your LDAP connector, if you are using non-standard object types, you will need to adjust the default filter and object type configurations. If your connector is added successfully, but you are unable to see any data when browsing your LDAP directory, it is likely that your object and filters are configured incorrectly.

User Configuration

Screenshot 3: User configuration

Attribute

Description

User DN

This value is used in addition to the base DN (distinguished name) when searching and loading users. An example is ou=Users. If no value is supplied, the subtree search will start from the base DN.

User Object Class

This is the name of the class used for the LDAP user object. An example is user.

User Object Filter

The filter to use when searching user objects.

User Name Attribute

The attribute field to use when loading the username. Examples are cn and sAMAccountName.

User Name RDN Attribute

The RDN (relative distinguished name) to use when loading the username. An example is cn. The DN for each LDAP entry is composed of two parts: the RDN and the location within the LDAP directory where the record resides. The RDN is the portion of your DN that is not related to the directory tree structure.

User First Name Attribute

The attribute field to use when loading the user's first name. An example is givenName.

User Last Name Attribute

The attribute field to use when loading the user's last name. An example is sn.

User Display Name Attribute

The attribute field to use when loading the user's full name. An example is displayName.

User Email Attribute

The attribute field to use when loading the user's email address. An example is mail.

User Group Attribute

The attribute field to use when loading the user's groups. An example is memberOf. Please refer to the specific settings for group membership searches on the 'Connector' tab, as described above.

User Password Attribute

The attribute field to use when loading a user's password. An example is unicodePwd.

Group Configuration

Screenshot 4: Group configuration

Attribute

Description

Group DN

This value is used in addition to the base DN when searching and loading groups, an example is ou=Groups. If no value is supplied, the subtree search will start from the base DN.

Group Object Class

This is the name of the class used for the LDAP group object. Examples are groupOfUniqueNames and group.

Group Object Filter

The filter to use when searching group objects. An example is (objectCategory=Group).

Group Name Attribute

The attribute field to use when loading the group's name. An example is cn.

Group Description Attribute

The attribute field to use when loading the group's description. An example is description.

Group Members Attribute

The attribute field to use when loading the group's members. An example is member. Please refer to the specific settings for group membership searches on the 'Connector' tab, as described above.

 

LDAP Object Structures

The Crowd LDAP connectors assume that all container objects (groups) have the full DN to the associated member. Currently, the membership attributes on a User object are not used by Crowd; however, in the future these associations may be used to assist with performance when looking up memberships.

Supported Object Types
  • groupOfUniqueNames
  • inetorgperson
  • posixGroup
  • posixUser

Zimbra Mail Server

User objects have been tested and are known to work with the zimbraAccount LDAP object types.

Microsoft Active Directory

The Active Directory LDAP connector assumes that all LDAP object types are of the default structure. Any changes to the default object structure of the User and Group objects will require a custom connector to be coded.

Supported Attributes

Crowd's LDAP connectors support the adding and updating of the following user attributes when integrating with an LDAP server via an LDAP directory connector:

  • surname
  • given name
  • email
  • password

If you need support for additional LDAP attributes, the Crowd LDAP connector can be extended. With a license purchase, full source is available and the LDAP connectors can be modified to support any number of attributes.

Hint: An LDAP Browser

To help you identify your LDAP structure, you may find an LDAP browser useful. Take a look at our guide on using Apache Directory Studio.

Supported Directories

Crowd supports the following LDAP directories:

Next Step

Specify the directory permissions, which allow you to restrict the way in which applications can use the directories. See Specifying Directory Permissions.

Once you have configured the directory's permissions, you have finished configuring your new directory. You can then map the directory to appropriate applications.

RELATED TOPICS

Using Apache Directory Studio for LDAP Configuration
Crowd Documentation