This page last changed on Jun 25, 2008 by vchang.
Deprecated for Confluence 2.7.0 and later

For Confluence 2.7.0 and above, all user management is performed by AtlassianUser as described in Understanding User Management in Confluence. OSUser user management, derscirbed in this document, has been deprecated.

Overview

To configure Confluence to connect to LDAP for user management only, you have two options:

  1. Use LDAP for users and authentication, not groups. That's described in Add LDAP integration, and includes an optional step to remove group management. This method is supported in Confluence versions after version 2.7.

    or

  2. Create and manage users and groups in Confluence, and use LDAP for authentication only. This is the deprecated OSUser management approach, as described in this document. If a username exists in both Confluence and LDAP, the user uses their LDAP password to log in. This method has been deprecated after Confluence version 2.7

Important Points about Option 2 Above

  • Only the password lookup is done against LDAP and only if the Confluence username is the same as the LDAP username. Users and user profiles are still managed in Confluence. See technical explanation below.
  • A Confluence account must be created for each LDAP user, as users do not automatically have access. For an LDAP user to access Confluence, a site administrator will still need to create an account for them. The password in this Confluence account will be ignored as the LDAP password will override it.

Instructions

Step 1: Modify atlassian-user.xml to use OSUser Management

For Confluence 2.7 and above, the default user repository is the hibernate repository (Atlassian User). To revert to OSUser, you will need to put the OSUser repository tag in the top position so it's the primary user management option. Modify /confluence/WEB-INF/classes/atlassian-user.xml to contain this:

<atlassian-user>
    <repositories>
		<osuser key="osuserRepository" name="OSUser Repository"/>
		<hibernate name="Hibernate Repository" key="hibernateRepository"  description="Hibernate Repository" cache="true"/>
    </repositories>
</atlassian-user>

Note: For Confluence version prior to 2.7, if you have delegated your user management to JIRA, LDAP or any other external user management system, copy the following files from your old Confluence installation to your new Confluence installation:

  • <Installation-Directory>/confluence/WEB-INF/classes/osuser.xml.
  • <Installation-Directory>/confluence/WEB-INF/classes/atlassian-user.xml (if you are upgrading from Confluence 2.2 or later).

Step 2: Open the osuser.xml file located in your home directory under WEB-INF/classes

In the osuser.xml file, the CredentialsProviders are responsible for authenticating passwords. The default CachingCredentialsProvider looks in the Confluence database. To enable LDAP aunthentication, you will need to add a LDAPCredentialsProvider, so that LDAP users can also be authenticated:

Here's what the default osuser.xml contains:

<provider class="bucket.user.providers.CachingCredentialsProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateCredentialsProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>
<provider class="bucket.user.providers.CachingAccessProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateAccessProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>
<provider class="bucket.user.providers.CachingProfileProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateProfileProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>


Step 3: Edit the osuser.xml file as shown below

For Confluence version 2.1 and later:

<provider class="com.atlassian.confluence.user.ConfluenceLDAPCredentialsProvider">
<property name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</property>
<property name="java.naming.provider.url">ldap://localhost:389</property>
<property name="searchBase">dc=atlassian,dc=com</property>
<property name="uidSearchName">cn</property>
<!--
<property name="java.naming.security.principal">cn=Manager,dc=atlassian,dc=com</property>
<property name="java.naming.security.credentials">secret</property>
<property name="exclusive-access">true</property>
-->
</provider>

<provider class="bucket.user.providers.CachingCredentialsProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateCredentialsProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>
<provider class="bucket.user.providers.CachingAccessProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateAccessProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>
<provider class="bucket.user.providers.CachingProfileProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateProfileProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>


For older verisons of Confluence

<provider class="com.opensymphony.user.provider.ldap.LDAPCredentialsProvider">
<property name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</property>
<property name="java.naming.provider.url">ldap://localhost:389</property>
<property name="searchBase">dc=atlassian,dc=com</property>
<property name="uidSearchName">cn</property>
<!--
<property name="java.naming.security.principal">cn=Manager,dc=atlassian,dc=com</property>
<property name="java.naming.security.credentials">secret</property>
<property name="exclusive-access">true</property>
-->
</provider>

<provider class="bucket.user.providers.CachingCredentialsProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateCredentialsProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>
<provider class="bucket.user.providers.CachingAccessProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateAccessProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>
<provider class="bucket.user.providers.CachingProfileProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateProfileProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>


  • Update the following properties to suit your LDAP server:

    • url (currently set to ldap://localhost:389)
    • searchBase (currently set to dc=atlassian,dc=com)
    • uidSearchName (currently set to cn)

  • If your LDAP server is not configured to allow anonymous lookups, you need to:

    • remove comment tags
    • enter the username; including searchBase (currently set to cn=Manager,dc=atlassian,dc=com)
    • enter password (currently set to secret)


The Credentials (password) checking is a separate operation from user-profile lookups. The profile can be loaded from the Confluence database, but the password is looked up from LDAP. Furthermore, multiple credentials providers can be specified (here, LDAP and OSUser), and if one fails, the other will be used. This allows non-LDAP users to log in with their Confluence password.

RELATED TOPICS
Activating External User Management
Add LDAP Integration For User Authentication Only
Changes in osuser.xml from 1.0.3a to 1.1.x
Confluence Caching OSUser Provider
Importing LDAP Users
Special LDAP Integration Note for users upgrading to Confluence version 2.1.x or higher

Document generated by Confluence on Aug 07, 2008 19:05