Crowd provides built-in connectors for the most popular LDAP directory servers, including Microsoft Active Directory, Sun DSEE, OpenLDAP, Apache DS, and others.
On this page:
Summary of Configuration Steps
To configure an LDAP directory connector,
- Log in to the Crowd Administration Console.
- Click the 'Directories' link in the top navigation bar.
- The Directory Browser will appear. Click the 'Add Directory' link.
- The 'Select Directory Type' screen will appear. Click the 'Connector' button.
- The 'Details' tab will appear. See screenshot 1 below. Enter the 'Name' and 'Description' (see table of fields below).
- We recommend that you leave 'Cache Enabled' at its default setting (enabled). For more information, see Configuring Caching for an LDAP Directory.
- Click the 'Connector' tab. See screenshot 2 below.
- Select the relevant connector type and fill in the basic connection information for your directory server. For details, see:
- Click the 'Test Connection' button to verify that Crowd can successfully connect to the directory.
- Click the 'Configuration' tab. See the configuration screenshots below.
- Fill in the configuration details for your groups and users, as described in the tables below the configuration screenshots. Also please see LDAP Object Structures below.
- Click the 'Test Search' button to verify that Crowd can successfully locate groups and users within the directory.
- Click the 'Permissions' tab to configure the directory's permissions.
Configuring Directory Details
Screenshot 1: Directory details
Attribute |
Description |
---|---|
Name |
The name used to identify the directory within Crowd. This is useful when there are multiple directories configured, e.g. 'Chicago Employees' or 'Web Customers'. |
Description |
Details about this specific directory. |
Cache Enabled |
We recommend that you turn on LDAP caching. For more information, see Configuring Caching for an LDAP Directory. |
Active |
Only deselect this if you wish to prevent all users within the directory from accessing all mapped applications. If a directory is not marked as 'Active', it is inactive. Inactive directories:
|
Configuring Connector Details
Screenshot 2: Connector details
Attribute |
Description |
---|---|
Connector |
The directory connector to use when communicating with the directory server. |
URL |
The connection URL to use when connecting to the directory server. The URL for Microsoft Active Directory should be in the following format: |
Secure SSL |
Specifies whether the connection to the directory server is an SSL connection. Please ensure that you have followed the instructions to configure an SSL Certificate before enabling this setting. |
Use Node Referrals |
Use the JNDI lookup java.naming.referral option. Generally needed for Active Directory servers configured without proper DNS, to prevent a 'javax.naming.PartialResultException: Unprocessed Continuation Reference(s)' error. |
Use Nested Groups |
Enable or disable support for nested groups on the LDAP user directory. |
Use the User Membership Attribute |
Put a tick in the checkbox if your Active Directory supports the group membership attribute on the user. (By default, this is the 'memberOf' attribute.)
|
Use 'memberOf' for Group Membership |
Put a tick in the checkbox if your Active Directory supports the 'memberOf' attribute on the user.
|
Use Paged Results |
Use the LDAP control extension for simple paging of search results. Retrieves chunks of data rather than all of the search results at once. This feature may be necessary when using Microsoft Active Directory if more than 999 results are returned for any given search. |
Paged Results Size |
Enter the desired page size i.e. the maximum number of search results to be returned per page, when paged results are enabled. Defaults to 999 results. |
Use Naive DN Matching |
This setting determines how Crowd will compare DNs to determine if they are equal. See Using Naive DN Matching.
|
Enable Incremental Sync |
Crowd supports retrieving only changes made after last synchronisation when connecting to Active Directory.
|
Polling Interval |
Crowd will send a request to Active Directory every x minutes, where 'x' is the number specified here. Please read the full instructions: Configuring Caching for an LDAP Directory. |
Read Timeout |
The time, in seconds, to wait for a response to be received. If there is no response within the specified time period, the read attempt will be aborted. A value of 0 (zero) means there is no limit. |
Search Timeout |
The time, in seconds, to wait for a response from a search operation. A value of 0 (zero) means there is no limit. |
Connection Timeout |
The time, in seconds, to wait when opening new server connections. If not specified, the TCP network timeout will be used, which may be several minutes. |
Base DN |
Enter the root distinguished name to use when running queries versus the directory server. Examples: |
User DN |
Distinguished name of the user that Crowd will use when connecting to the directory server. For example: |
Password |
The password of the user specified above. |
Note: You can also configure site-wide LDAP connection pool settings. See Configuring the LDAP Connection Pool.
We have shown the settings for Active Directory. For details about the settings for your specific directory server, please see:
- Apache Directory Server (ApacheDS)
- Apple Open Directory
- Fedora Directory Server
- Generic LDAP Directories
- Microsoft Active Directory
- Novell eDirectory
- OpenDS
- OpenLDAP
- OpenLDAP Using Posix Schema
- Posix Schema for LDAP
- Sun Directory Server Enterprise Edition (DSEE)
Configuring LDAP Object and Attribute Settings
Once you have selected a connector you can modify various LDAP object and attribute settings of the specific LDAP server for users and groups as shown on the screenshots below. On first setup, Crowd will provide generic default settings based on the connector selected.
When configuring your LDAP connector, if you are using non-standard object types, you will need to adjust the default filter and object type configurations. If your connector is added successfully, but you are unable to see any data when browsing your LDAP directory, it is likely that your object and filters are configured incorrectly.
User Configuration
Screenshot 3: User configuration
Attribute |
Description |
---|---|
User DN |
This value is used in addition to the base DN (distinguished name) when searching and loading users. An example is |
User Object Class |
This is the name of the class used for the LDAP user object. An example is |
User Object Filter |
The filter to use when searching user objects. |
User Name Attribute |
The attribute field to use when loading the username. Examples are |
User Name RDN Attribute |
The RDN (relative distinguished name) to use when loading the username. An example is |
User First Name Attribute |
The attribute field to use when loading the user's first name. An example is |
User Last Name Attribute |
The attribute field to use when loading the user's last name. An example is |
User Display Name Attribute |
The attribute field to use when loading the user's full name. An example is |
User Email Attribute |
The attribute field to use when loading the user's email address. An example is |
User Group Attribute |
The attribute field to use when loading the user's groups. An example is |
User Password Attribute |
The attribute field to use when loading a user's password. An example is |
Group Configuration
Screenshot 4: Group configuration
Attribute |
Description |
---|---|
Group DN |
This value is used in addition to the base DN when searching and loading groups, an example is ou=Groups. If no value is supplied, the subtree search will start from the base DN. |
Group Object Class |
This is the name of the class used for the LDAP group object. Examples are |
Group Object Filter |
The filter to use when searching group objects. An example is |
Group Name Attribute |
The attribute field to use when loading the group's name. An example is |
Group Description Attribute |
The attribute field to use when loading the group's description. An example is |
Group Members Attribute |
The attribute field to use when loading the group's members. An example is |
Role Configuration
Screenshot 5: Role configuration
Attribute |
Description |
---|---|
Disable Roles |
When you create an LDAP directory connector, roles in Crowd will be disabled by default. To enable roles, remove the tick from the checkbox. You may need to click out of the checkbox (e.g. click the 'Update' button) to see the role configuration fields. Then click the 'Update' button again to apply the change. As previously announced, roles are now deprecated in Crowd. We have not changed the functionality of roles in Crowd 2.1, but we do recommend that you move away from the use of roles in your Crowd installation so that you will not be adversely affected by the planned redesign of role functionality. Roles are disabled by default when you create a new LDAP directory. We recommend that you leave roles disabled, unless you have existing data that includes roles.At present, the implementation of roles in Crowd is identical to the implementation of groups. This design does not provide much useful functionality, so we are planning to redesign the way Crowd supports roles. If you would like to help us to design better role-based access control, please add a comment to the improvement request CWD-931, letting us know how you would like to see it work. |
Role DN |
This value is used in addition to the base DN when searching and loading roles. An example is |
Role Object Class |
This is the name of the class used for the LDAP role object. An example is |
Role Object Filter |
The filter to use when searching role objects. An example is |
Role Name Attribute |
The attribute field to use when loading the role's name. An example is |
Role Description Attribute |
The attribute field to use when loading the role's description. An example is |
Role Members Attribute |
The attribute field to use when loading the role's members. An example is |
LDAP Object Structures
The Crowd LDAP connectors assume that all container objects (groups and roles) have the full DN to the associated member. Currently, the membership attributes on a User object are not used by Crowd; however, in the future these associations may be used to assist with performance when looking up memberships.
Supported Object Types
- groupOfUniqueNames
- inetorgperson
- posixGroup
- posixUser
![]() | Zimbra Mail Server User objects have been tested and are known to work with the |
![]() | Microsoft Active Directory The Active Directory LDAP connector assumes that all LDAP object types are of the default structure. Any changes to the default object structure of the |
Supported Attributes
Crowd's LDAP connectors support the adding and updating of the following user attributes when integrating with an LDAP server via an LDAP directory connector:
- surname
- given name
- password
If you need support for additional LDAP attributes, the Crowd LDAP connector can be extended. With a license purchase, full source is available and the LDAP connectors can be modified to support any number of attributes.
Hint: An LDAP Browser
To help you identify your LDAP structure, you may find an LDAP browser useful. Take a look at our guide on using Apache Directory Studio.
Supported Directories
Crowd supports the following LDAP directories:
- Apache Directory Server (ApacheDS)
- Apple Open Directory
- Fedora Directory Server
- Generic LDAP Directories
- Microsoft Active Directory
- Novell eDirectory
- OpenDS
- OpenLDAP
- OpenLDAP Using Posix Schema
- Posix Schema for LDAP
- Sun Directory Server Enterprise Edition (DSEE)
Next Step
Specify the directory permissions, which allow you to restrict the way in which applications can use the directories. See Specifying Directory Permissions.
Once you have configured the directory's permissions, you have finished configuring your new directory. You can then map the directory to appropriate applications.
RELATED TOPICS
- Using the Directory Browser
- Adding a Directory
- Configuring an Internal Directory
- Configuring an LDAP Directory Connector
- Configuring a Remote Crowd Directory
- Configuring a Custom Directory Connector
- Configuring a Delegated Authentication Directory
- Configuring Caching for an LDAP Directory
- Using Naive DN Matching
- Specifying Directory Permissions
- Importing Users and Groups into a Directory
Using Apache Directory Studio for LDAP Configuration
Crowd Documentation
Attachments:














