This documentation relates to Crowd 2.4.
If you are using an earlier version, please view the previous versions of the Crowd documentation and select the relevant version.
Skip to end of metadata
Comment: Corrected links that should have been relative instead of absolute.
Go to start of metadata

This page provides configuration notes for Apple OS X Open Directory. This page is related to Configuring an LDAP Directory Connector.

Crowd supports read-only connections to Apple OS X Open Directory services.

Crowd's Apple Open Directory support is read-only

You cannot add or update user details or group details in a Crowd-connected Apple OS X Open Directory server. Users will not be able to change their passwords from Crowd or from Crowd-connected applications.

Screenshot: Connector — Apple OS X Open Directory



Attribute

Description

Connector

The directory connector to use when communicating with the directory server.

URL

The connection URL to use when connecting to the directory server, e.g. ldap://localhost:389, or port 639 for SSL.

Secure SSL

Specifies whether the connection to the directory server is an SSL connection.

Use Node Referrals

Specifies whether to use the JNDI lookup java.naming.referral option.

Use the User Membership Attribute

Put a tick in the checkbox if your directory supports the group membership attribute on the user. (By default, this is the 'memberOf' attribute.) For instructions on enabling this feature in your directory, please refer to the OpenLDAP documentation.

  • If this checkbox is ticked, Crowd will use the group membership attribute on the user when retrieving the members of a given group. This will result in a more efficient retrieval.
  • If this checkbox is not ticked, Crowd will use the members attribute on the group ('member' by default) for the search.

Use Paged Results

Specifies whether to use the LDAP control extension for simple paged results option. Retrieves chunks of data rather than all of the results at once.

Use Naive DN Matching

This setting determines how Crowd will compare DNs to determine if they are equal. See Using Naive DN Matching.

  • If this checkbox is ticked, Crowd will do a direct, case-insensitive, string comparison. This is the default and recommended setting for Apple Open Directory. Using relaxed DN standardisation will result in a significant performance improvement.
  • If this checkbox is not ticked, Crowd will parse the DN and then check the parsed version.

Polling Interval

Crowd will send a request to LDAP every x minutes, where 'x' is the number specified here. Please read the full instructions: Configuring Caching for an LDAP Directory.

Read Timeout

Time in seconds to wait for a response to be received. If there is no response within the specified time period, the read attempt will be aborted. A value of 0 (zero) means there is no limit.

Search Timeout

Time in seconds to wait for a response from a search operation. A value of 0 (zero) means there is no limit.

Connection Timeout

Timeout in seconds when opening new server connections. If not specified, the TCP network timeout will be used, which may be several minutes.

Base DN

The root distinguished name to use when running queries against the directory server, e.g. o=acmecorp,c=com.

User DN

The distinguished name of the user that Crowd will use when connecting to the directory server.

Password

The password of the user specified above.

Note: You can also configure site-wide LDAP connection pool settings. See Configuring the LDAP Connection Pool.

Group Relationships

Crowd will check both the gidNumber and the memberUid attributes to determine if a user is a member of a group. The name of the gidNumber attribute is not configurable — Crowd will always use this attribute to determine membership.

The RFC 2307 schema does not support nesting of groups, so Crowd does not support nested groups in Apple Open Directory.

Next Step

Go back to Configuring an LDAP Directory Connector.

RELATED TOPICS

Using Apache Directory Studio for LDAP Configuration
Crowd Documentation

3 Comments

Hide/Show Comments

  1. Jun 16, 2011

    Jonathan Hansen

    I got stuck on this for about two hours... figured I'd add it here.

    The connector will require a specific formatting for the user DN that is non-standard, use:

    uid=<username>,cn=users,dc=<domain>,dc=<com>

    1. Jun 17, 2011

      Sarah Maddox [Atlassian Technical Writer]

      Thank you Jonathan!

  2. Feb 03, 2012

    Brian Topping

    I'm surprised and disappointed that this page does not have suggested entries for all the values of every field.  Apple OpenDirectory is a pretty rigid setup, there's no reason not to suggest what the values should be instead of just describing in cut-and-paste fashion what they are for any directory.

    To be specific: I know LDAP very well so I didn't have to come here to configure Crowd against OD.  On the other hand, I don't know OD super well yet and was hoping to find information on how to configure the user that Crowd binds to so it has minimum exposure.  

    Sadly, the best I could seem to do was create a user with full administration privileges on all users and no login permissions.  It's important because Crowd stores the User DN and password for that user unencrypted in the database, it's a security hole that anyone with access to the database could exploit against any service that relies on OD!