This page last changed on Mar 05, 2007 by justen.stepka@atlassian.com.

LDAP Connectors

Crowd offers pre-built connectors for the most popular directory servers such as: Micrsoft Active Directory, Apple OS X, and SunONE. These LDAP connectors enable administrators and developers to quickly integrate desktop logins to existing web-applications.

The first step when setting up an connector is to select the connector type and fill in the basic connection information for the directory server:

Once selecting a Connector, various LDAP object and attribute settings may be adjusted by selecting the Configuration tab. Here the node and attributes of the specific LDAP server may be modified. Generic settings have been provided by based on the Connector selected.

Attribute Description
Connector The directory connector to use when communicating with the directory server.
URL The connection URL to use when connecting to the directory server, for example ldap://localhost:389 or port 639 for SSL.
Secure SSL Specifies if the connection to the directory server is a SSL connection.
Base DN Enter the root distinguished name to use when running queries versu.,s the directory server, for example, o=acmecorp,c=com.
User DN Connect to the directory server using the supplied username.
Password Connect to the directory server using the supplied password.

Active Directory

Active Directory Attribute Example Value
Base DN cn=users,dc=ad,dc=acmecorp,dc=com
User DN administrator@ad.acmecorp.com

For Microspft AD the base in of the format dc=domain1,dc=local. You will want to replace the domain1 and local to your specific configuration. Microsoft Server provides a tool called ldp.exe which is useful for finding out and configuring the the LDAP structure of your server.

The URL for MS AD should will be in the format of ldap://domainname.

Apple OSX Open Directory

Apple OS X Open Directory Example Value
Base DN dc=acmecorp,dc=com
User DN cn=Manager,dc=acmecorp,dc=com

SunONE

SunONE Directory Example Value
Base DN dc=acmecorp,dc=com
User DN cn=Directory Manager

OpenLDAP

OpenLDAP Directory Example Value
Base DN dc=exampel,dc=com
User DN cn=Manager,dc=example,dc=com

The OpenLDAP connector only work with version 2.3.X and higher. Previous versions do not support the paging attribute and will result in the following error:

LDAP_UNAVAILABLE_CRITICAL_EXTENSION: Indicates that the LDAP server was unable to satisfy a request because one or more critical extensions were not available. Either the server does not support the control or the control is not appropriate for the operation type.

Configuration Details

When configuring your LDAP server, if you are using non-standard object types, you will need to adjust the default filter and object type configurations. Default values are configured for the integrated LDAP servers. If your connector is added successfully, but you unable to see an data when browsing your LDAP server it is likely your object and filters are configured incorrectly.

Group Configuration

Attribute Description
Group DN This value is used in addition to the base DN when searching and loading groups, an example is ou=Groups. If no value is supplied, the subtree search will start from the base DN.
Group Object Class This value is used in addition to the base DN when searching and loading groups, an example is ou=Groups. If no value is supplied, the subtree search.
Group Object Filter The filter to use when searching group objects.
Group Name Attribute The attribute field to use when loading the group name.
Group Desciption Attribute The attribute field to use when loading the group description.
Group Members Attribute The attribute field to use when loading the group members.

Role Configuration

Attribute Description
Role DN This value is used in addition to the base DN when searching and loading roles, an example is ou=Roles. If no value is supplied, the subtree search will start from the base DN.
Role Object Class This value is used in addition to the base DN when searching and loading roles, an example is ou=Roles. If no value is supplied, the subtree search.
Role Object Filter The filter to use when searching role objects.
Role Name Attribute The attribute field to use when loading the role name.
Role Desciption Attribute The attribute field to use when loading the role description.
Role Members Attribute The attribute field to use when loading the role members.

Principal Configuration

Attribute Description
User DN This value is used in addition to the base DN when searching and loading users, an example is ou=Users. If no value is supplied, the subtree search will start from the base DN.
User Object Class The LDAP user object class type to use when loading principals.
User Object Filter The filter to use when searching user objects.
User Name Attribute The attribute field to use when loading the principal username.
User First Name Attribute The attribute field to use when loading the principal first name.
User Last Name Attribute The attribute field to use when loading the principal last name.
User Email Attribute The attribute field to use when loading the principal email.
User Group Attribute The attribute field to use when loading the principal's groups.
User Password Attribute The attribute field to use when manipulating a principal password.

LDAP Object Structures

Active Directory

The Active Directory LDAP connector assumes that all LDAP object types are of the default structure. Any changes to the default object structure of the User and Group objects will require a custom connector to be coded.

LDAP Connector Object Structures

The Crowd LDAP connectors assume that all container objects (groups and roles) have the full DN to the associated member. As of now the membership attributes on a Principal object are not used, however in the future these associations may be used to assist with performance when looking up memberships.

Supported Object Types:

  • groupOfUniqueNames
  • inetorgperson

Non-supported Object types:

The following object types are not supported because of the required guiNumber attribute. Crowd does not currently support the adding of unique

  • posixGroup
  • posixUser
Zimbra Mail Server LDAP Types

Principal objects have been tested and are known to work with the zimbraAccount LDAP object types.


Document generated by Confluence on Mar 08, 2007 18:50