This page last changed on Feb 27, 2011 by smaddox.

You can connect your Confluence application to an LDAP directory for delegated authentication. This means that Confluence will have an internal directory that uses LDAP for authentication only. There is an option to create users in the internal directory automatically when they attempt to log in, as described in the settings section.

Overview

An internal directory with LDAP authentication offers the features of an internal directory while allowing you to store and check users' passwords in LDAP only. On LDAP, all it does is to check the password. The LDAP connection is read only. Every user in the internal directory must map to a user on LDAP, otherwise they cannot log in.

When to use this option: Choose this option if you want to set up a user and group configuration within your application that suits your needs, while checking your users' passwords against the corporate LDAP directory. This option also helps to avoid the performance issues that may result from downloading large numbers of groups from LDAP.

Connecting Confluence to an Internal Directory with LDAP Authentication

To connect to an internal directory but check logins via LDAP:

  1. Go to the Confluence 'Administration Console'. To do this:

    • Open the 'Browse' menu and select 'Confluence Admin'. The 'Administrator Access' login screen will be displayed.
    • Enter your password and click 'Confirm'. You will be temporarily logged into a secure session to access the 'Administration Console'.
  2. Click 'User Directories' in the left-hand panel.
  3. Add a directory and select type 'Internal with LDAP Authentication'.
  4. Enter the values for the settings, as described below.
  5. Save the directory settings.
  6. Define the directory order by clicking the blue up- and down-arrows next to each directory on the 'User Directories' screen. We recommend that the 'Internal with LDAP Authentication' directory is at the top of the list.

    Here is a summary of how the directory order affects the processing:

    • The order of the directories is the order in which they will be searched for users and groups.
    • Changes to users and groups will be made only in the first directory where the application has permission to make changes.

    For details see Managing Multiple Directories.

  7. Add your users and groups in Confluence. See Adding a New User and Adding a Group.

Server Settings

Setting Description
Name A descriptive name that will help you to identify the directory. Examples:
  • Internal directory with LDAP Authentication
  • Corporate LDAP for Authentication Only
Directory Type Select the type of LDAP directory that you will connect to. If you are adding a new LDAP connection, the value you select here will determine the default values for some of the options on the rest of screen. Examples:
  • Microsoft Active Directory
  • OpenDS
  • And more.
Hostname The host name of your directory server. Examples:
  • ad.example.com
  • ldap.example.com
  • opends.example.com
Port The port on which your directory server is listening. Examples:
  • 389
  • 10389
  • 636 (for example, for SSL)
Use SSL Tick this check box if the connection to the directory server is an SSL (Secure Sockets Layer) connection. Note that you will need to configure an SSL certificate in order to use this setting.
Username The distinguished name of the user that the application will use when connecting to the directory server. Examples:
  • cn=administrator,cn=users,dc=ad,dc=example,dc=com
  • cn=user,dc=domain,dc=name
  • user@domain.name
Password The password of the user specified above.

Copying Users on First Login

Setting Description
Copy User on First Login This option affects what will happen when a user attempts to log in, if their username does not yet exist in the internal directory that is using LDAP for authentication. If this check box is ticked, the user will be created automatically in the internal directory when the user logs in. If this check box is not ticked, the user's login will fail.

If you tick this check box the following additional fields will appear on the screen, both described in more detail below:
  • Default Group Memberships
  • User Schema Settings
Default Group Memberships This field appears if you tick the 'Copy User on First Login' check box. If you would like users to be automatically added to a group or groups, enter the group name(s) here. To specify more than one group, separate the group names with commas. Each time a user logs in, their group memberships will be checked. If the user does not belong to the specified group(s), their username will be added to the group(s). If a group does not yet exist, it will be added to the internal directory that is using LDAP for authentication.

Please note that there is no validation of the group names. If you mis-type the group name, authorisation failures will result – users will not be able to access the applications or functionality based on the intended group name.

Examples:
  • confluence-users
  • confluence-users,jira-users,jira-developers

Schema Settings

Setting Description
Base DN The root distinguished name (DN) to use when running queries against the directory server. Examples:
  • o=example,c=com
  • cn=users,dc=ad,dc=example,dc=com
  • For Microsoft Active Directory, specify the base DN in the following format: dc=domain1,dc=local. You will need to replace the domain1 and local for your specific configuration. Microsoft Server provides a tool called ldp.exe which is useful for finding out and configuring the the LDAP structure of your server.
User Name Attribute The attribute field to use when loading the username. Examples:
  • cn
  • sAMAccountName

User Schema Settings (Used when Copying Users on First Login)

Setting Description
User Schema Settings This section appears if you tick the 'Copy User on First Login' check box. If the fields below this heading are hidden, click the heading to reveal the fields.
Additional User DN This value is used in addition to the base DN when searching and loading users. If no value is supplied, the subtree search will start from the base DN. Example:
  • ou=Users
User Object Class This is the name of the class used for the LDAP user object. Example:
  • user
User Object Filter The filter to use when searching user objects. Example:
  • (&(objectCategory=Person)(sAMAccountName=*))
User Name RDN Attribute The RDN (relative distinguished name) to use when loading the username. The DN for each LDAP entry is composed of two parts: the RDN and the location within the LDAP directory where the record resides. The RDN is the portion of your DN that is not related to the directory tree structure. Example:
  • cn
User First Name Attribute The attribute field to use when loading the user's first name. Example:
  • givenName
User Last Name Attribute The attribute field to use when loading the user's last name. Example:
  • sn
User Display Name Attribute The attribute field to use when loading the user's full name. Example:
  • displayName
User Email Attribute The attribute field to use when loading the user's email address. Example:
  • mail

Diagrams of Possible Configurations

Full Size
A Gliffy Diagram named: Gliffy-Confluence-LDAP-Auth-Only

Diagram above: Confluence connecting to an LDAP directory for authentication only.

Full Size
A Gliffy Diagram named: Gliffy-Confluence-LDAP-Copy-On-First-Login

Diagram above: Confluence connecting to an LDAP directory for authentication only, with each user copied to the internal directory when they first log in to Confluence.

RELATED TOPICS

Configuring User Directories

Document generated by Confluence on Mar 16, 2011 18:33