This page last changed on Jun 02, 2008 by smaddox.
This page describes the function of each of the tags in an atlassian-user.xml file. These can be added as child tags of the <ldap> tag in your atlassian-user.xml file to configure each option.
Developer note: this information is derived from atlassian-user-defaults.xml, which can be found in the source of Atlassian-User under src/main/resources/. It also ships in atlassian-user.jar.
Core settings
These settings do not have a default value and must be provided to configure an LDAP connection.
XML tag |
Description |
LDAP connection properties |
|
host |
The host name of the machine running the LDAP server. This must resolve from the machine running Confluence. |
port |
The port number that the LDAP server is running on. This should usually be 389. |
securityPrincipal |
The distinguished name (DN) of a user who is allowed to browse the entire LDAP repository. This can be omitted if the repository has anonymous access enabled. |
securityCredential |
The password for the user configured as the securityPrincipal. This can be omitted if the repository has anonymous access enabled. [1] |
baseContext |
The DN of the top of the LDAP tree that contains both users and groups. |
LDAP user mapping properties |
|
baseUserNamespace |
The DN at the top of the LDAP tree which contains users. For example: ou=users,dc=example,dc=com. |
userSearchFilter |
An LDAP search filter which matches only users under the baseUserNamespace. For example: (objectClass=person). [1] |
usernameAttribute |
The attribute on a user in LDAP which contains the Confluence username. It must be unique across all users. For example: cn (OpenLDAP), sAMAccountName (AD). |
firstnameAttribute |
The attribute on a user in LDAP which contains the first name of the user. For example: givenName. |
surnameAttribute |
The attribute on a user in LDAP which contains the last name of the user. For example: sn. |
emailAttribute |
The attribute on a user in LDAP which contains the email address of the user. For example: mail. |
LDAP group mapping properties |
|
baseGroupNamespace |
The DN at the top of the LDAP tree which contains groups. For example: ou=groups,dc=example,dc=com. |
groupSearchFilter |
An LDAP search filter which matches only group entities under the baseGroupNamespace. For example: (objectClass=group). [1] |
groupnameAttribute |
The attribute on a group in LDAP which contains the Confluence group name. It must be unique across all groups. For example: cn. |
membershipAttribute |
The attribute on a group in LDAP which contains the DN of each member in the group. [2] For example: member. |
Notes
- If these values contain ampersands, they must be escaped in the XML file. This is a common situation with LDAP search filters and passwords containing ampersands. For example, the LDAP search filter (&(objectClass=user)(mail=*@example.com)) would be put in the XML as: <userSearchFilter>(&(objectClass=user)(mail=*@example.com))</userSearchFilter>.
- This can also contain the user name of each member of the group. See the useUnqualifiedUsernameForMembershipComparison optional configuration setting below.
Optional settings
XML tag |
Default value |
Description |
LDAP connection properties |
|
|
securityProtocol |
plain ssl |
Allow encrypted (SSL) connections. Can be omitted if anonymous access is available. |
authentication |
simple |
Plain-text password transmission. Can be 'none' if anonymous access to the LDAP server is available. |
initialContextFactory |
com.sun.jndi.ldap.LdapCtxFactory |
Class name of LDAP provider (default: Sun JNDI) |
batchSize |
100 |
Size of pages in search results |
poolingOn |
true |
Use connection pooling |
connectTimeout |
30000 |
Timeout in milliseconds when opening new server connections. Default: 30 seconds. |
readTimeout |
60000 |
Timeout in milliseconds for search and other read operations. Default: 60 seconds. |
LDAP connection pool properties |
|
|
initSize |
1 |
Initial size of connection pool, e.g. number of connections to open at start-up. [1] |
prefSize |
10 |
Preferred size of connection pool. [1] |
maxSize |
0 |
Maximum size of connection pool. Zero means no maximum size. [1] |
timeout |
300000 |
Idle time in milliseconds for a connection before it is removed from the pool. Default: 5 minutes. [1] |
debugLevel |
none |
Debug level for logging. [1] |
poolAuthentication |
simple |
Authentication for pool connections. [1] |
LDAP search properties |
|
|
timeToLive |
0 |
Time limit on searches in milliseconds. Zero means no limit. [2] |
userSearchAllDepths |
false |
Whether user searches should search through the LDAP tree or only for direct children of the DN specified by the userSearchFilter. [3] |
groupSearchAllDepths |
false |
Whether group searches should search through the LDAP tree or only for direct children of the DN specified by the groupSearchFilter. [3] |
useUnqualifiedUsernameForMembershipComparison |
false |
If set to true, Confluence will use the value of the usernameAttribute on the user to check for group membership comparisons instead of the complete distinguished name. |
Notes
- The connection pool properties provided by Atlassian-User correspond with the connection pooling properties in JNDI. See this documentation for further information.
- More information on this time limit is available on Sun's JNDI tutorial.
- The "searchAllDepths" parameters toggle between SearchControls.SUBTREE_SCOPE (true) and SearchControls.ONELEVEL_SCOPE (false). See Sun's JNDI tutorial on scope configuration for more information.
RELATED TOPICS
Customising atlassian-user.xml
Add LDAP Integration
LDAP User Management
|