This page last changed on Jan 22, 2007 by david.soul@atlassian.com.

Description

There are two kinds of Confluence/LDAP integration available:

User Authentication Internal Users Internal Groups LDAP Users LDAP Groups
LDAP Without Groups
LDAP With Groups

This guide covers LDAP without groups, where if a username exists in both Confluence and LDAP, they use their LDAP password to login. You still maintain users from Confluence and use internal Confluence groups for group permissions.

Alternatively, you may use LDAP with Groups to have users and groups automatically updated from LDAP, and use LDAP groups for group permissions.

Applies For

  • Enabling LDAP for the first time
  • Upgrading existing LDAP without enabling group management

Important Points

  • Only the password lookup is done against LDAP and only if the Confluence username coincides with the LDAP username. Users and user profiles are still managed in Confluence. See technical explanation below.
  • Confluence account must be created for each LDAP user, as they do not automatically have access. For an LDAP user to access Confluence, a site administrator will still need to create an account for them. The password in this Confluence account will be ignored as the LDAP password will override it.
  • User management in Confluence 2.0 and earlier is handled by OSUser. OSUser is configured through the osuser.xml file located in confluence/WEB-INF/classes.

Instructions

CAUTION: Make sure that when you first set up Confluence, you make no changes to the default osuser.xml. Once Confluence is up and running, you can then apply the changes described here to enable LDAP integration.

Step One: Open the osuser.xml file located in your home directory under WEB-INF/classes

In the osuser.xml file, the CredentialsProviders are responsible for authenticating passwords. The default CachingCredentialsProvider looks in the Confluence database. To enable LDAP aunthentication, you will need to add a LDAPCredentialsProvider, so that LDAP users can also be authenticated:

Here's what the default osuser.xml contains:

<provider class="bucket.user.providers.CachingCredentialsProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateCredentialsProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>
<provider class="bucket.user.providers.CachingAccessProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateAccessProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>
<provider class="bucket.user.providers.CachingProfileProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateProfileProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>


Step Two: Edit the osuser.xml file as shown below:

For Confluence version 2.1 and later:

<provider class="com.atlassian.confluence.user.ConfluenceLDAPCredentialsProvider">
<property name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</property>
<property name="java.naming.provider.url">ldap://localhost:389</property>
<property name="searchBase">dc=atlassian,dc=com</property>
<property name="uidSearchName">cn</property>
<!--
<property name="java.naming.security.principal">cn=Manager,dc=atlassian,dc=com</property>
<property name="java.naming.security.credentials">secret</property>
<property name="exclusive-access">true</property>
-->
</provider>

<provider class="bucket.user.providers.CachingCredentialsProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateCredentialsProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>
<provider class="bucket.user.providers.CachingAccessProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateAccessProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>
<provider class="bucket.user.providers.CachingProfileProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateProfileProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>


For older verisons of Confluence

<provider class="com.opensymphony.user.provider.ldap.LDAPCredentialsProvider">
<property name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</property>
<property name="java.naming.provider.url">ldap://localhost:389</property>
<property name="searchBase">dc=atlassian,dc=com</property>
<property name="uidSearchName">cn</property>
<!--
<property name="java.naming.security.principal">cn=Manager,dc=atlassian,dc=com</property>
<property name="java.naming.security.credentials">secret</property>
<property name="exclusive-access">true</property>
-->
</provider>

<provider class="bucket.user.providers.CachingCredentialsProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateCredentialsProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>
<provider class="bucket.user.providers.CachingAccessProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateAccessProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>
<provider class="bucket.user.providers.CachingProfileProvider">
<property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateProfileProvider</property>
<property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property>
</provider>


  • Update the following properties to suit your LDAP server:

    • url (currently set to ldap://localhost:389)
    • searchBase (currently set to dc=atlassian,dc=com)
    • uidSearchName (currently set to cn)

  • If your LDAP server is not configured to allow anonymous lookups, you need to:

    • remove comment tags
    • enter the username; including searchBase (currently set to cn=Manager,dc=atlassian,dc=com)
    • enter password (currently set to secret)


The Credentials (password) checking is a separate operation from user-profile lookups. The profile can be loaded from the Confluence database, but the password is looked up from LDAP. Furthermore, multiple credentials providers can be specified (here, LDAP and OSUser), and if one fails, the other will be used. This allows non-LDAP users to log in with their Confluence password.

RELATED TOPICS
Activating External User Management
Add LDAP Integration For User Authentication Only
Changes in osuser.xml from 1.0.3a to 1.1.x
Confluence Caching OSUser Provider
Importing LDAP Users

Document generated by Confluence on Mar 22, 2007 20:55