 | This document applies only to Confluence 2.1. For Confluence 2.2 and later, please read Add LDAP Integration. Many improvements have been made to Confluence 2.2 to resolve the common issues people were facing with LDAP integration in 2.1. If you are still running Confluence 2.1 and would like to enable LDAP Integration, we strongly recommend that you upgrade to Confluence 2.2 before doing so. |
Introduction
Confluence LDAP integration lets you delegate user and group management and authentication to your favourite LDAP server. LDAP v2 and v3 servers are supported via Java's JNDI-LDAP mapping (this includes OpenLDAP, Microsoft Active Directory, Novell eDirectory and many more).
Open LDAP Integration Issues
| Currently, Confluence LDAP integration only works if your LDAP or Active Directory server supports static groups. This basically means that you have LDAP groups that store membership information like this:
dn: CN=Sales and Marketing,CN=Users,DC=ad,DC=atlassian,DC=com objectClass: top; group; cn: Sales and Marketing; distinguishedName: CN=Sales and Marketing,CN=Users,DC=ad,DC=atlassian,DC=com; name: Sales and Marketing; ... member: CN=John Smith,CN=Users,DC=ad,DC=atlassian,DC=com member: CN=Sally Smith,CN=Users,DC=ad,DC=atlassian,DC=com ... The membership attribute in this case is member, but this can vary for your installation. The important thing is that your user DN's are stored against some membership attribute inside your LDAP groups. In the above, notice that the full DN's of John and Sally Smith are listed. |
Installation instructions
Confluence now uses a component called Atlassian-User for LDAP integration as of version 2.1.
One of the main improvements of Atlassian-User-LDAP-Integration over the old style OSUser integration (configured via osuser.xml) is that administrators will no longer have to manually create a corresponding Confluence user account for each external LDAP user wanting access to the Confluence.
Atlassian-User-LDAP-Integration is configured directly in an XML file called atlassianUserContext.xml. This document will outline how to configure this XML file and migrate your existing users so that you can take advantage of this new integration.
 |
This document applies to new and old installations, except if you have Confluence delegating user management to JIRA. In this case, please use this doc. |
|
It is not compulsory to upgrade to Atlassian-User LDAP integration. However, to continue using OSUser LDAP integration in Confluence 2.1 or later, you must enable backwards compatibility. |
Migration to new User Management Component
The new Atlassian-User-LDAP-Integration depends on a new user managment component. As such in order to take advantage of this new integration, you need to migrate your current users (even if there is only one user - in the case of new installs). This following steps will guide through this:
- Make a backup of your:
- database
- Confluence home directory
- confluence/WEB-INF/classes/atlassianUserContext.xml (only if you have made changes)
This is critical to allow you the option to rollback should the migration not succeed.
- Download hibernate_osuser_atlassianUserContext.xml and rename to atlassianUserContext.xml and copy to your confluence/WEB-INF/classes directory (you can overwrite the one that's there)
- Now uncomment the osuserMigrationBean in {{confluence/WEB-INF/classes/upgradeSubsystemContext.xml}}
<!-- To be used. optionally, to transfer ouser data to another repository. See osuser2atluser.jsp --> <bean id="osuserMigrationBean" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean"> <property name="transactionManager"> <ref bean="transactionManager"/> </property> <property name="target"> <ref local="osuserMigrationBeanTarget"/> </property> <property name="transactionAttributes"> <props> <prop key="*">PROPAGATION_REQUIRED</prop> </props> </property> <property name="proxyInterfaces"> <value>com.atlassian.user.util.migration.EntityMigrator</value> </property> </bean> <bean id="osuserMigrationBeanTarget" class="com.atlassian.user.util.migration.OSUEntityMigrator"> <constructor-arg index="0"> <ref bean="hibernateUserManager" /> </constructor-arg> <constructor-arg index="1"> <ref bean="hibernateGroupManager" /> </constructor-arg> <constructor-arg index="2"> <ref bean="hibernatePropertySetFactory" /> </constructor-arg> <constructor-arg index="3"> <ref bean="profileProvider" /> </constructor-arg> <constructor-arg index="4"> <ref bean="accessProvider" /> </constructor-arg> </bean>
Notice how the <!-- before the <bean id="osuserMigrationBean"... and the --> after the </bean> have been removed. - Restart Confluence and login as an Administrator and point a browser to http://host.com/contextpath/admin/osuser2atluser.jsp (where http://host.com/contextpath is your baseurl. If you don't know what it is, please see Administration > General Configuration > Base Url)
- Click the link Begin migration
- You will know the migration has been successful if you see this reported:
Migrating users ... Users migrated successfully! Migrating propertyset data ... Propertyset data migrated successfully! Migrating groups ... Groups migrated successfully!
If you encounter errors, please create a support ticket at http://support.atlassian.com and attach your application server logs.
- Stop Confluence and comment back in the osuMigrationBean in confluence/WEB-INF/classes/upgradeSubsystemContext.xml. That is:
<!-- To be used. optionally, to transfer ouser data to another repository. See osuser2atluser.jsp --> <!--<bean id="osuserMigrationBean" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean"> <property name="transactionManager"> <ref bean="transactionManager"/> </property> <property name="target"> <ref local="osuserMigrationBeanTarget"/> </property> <property name="transactionAttributes"> <props> <prop key="*">PROPAGATION_REQUIRED</prop> </props> </property> <property name="proxyInterfaces"> <value>com.atlassian.user.util.migration.EntityMigrator</value> </property> </bean> <bean id="osuserMigrationBeanTarget" class="com.atlassian.user.util.migration.OSUEntityMigrator"> <constructor-arg index="0"> <ref bean="hibernateUserManager" /> </constructor-arg> <constructor-arg index="1"> <ref bean="hibernateGroupManager" /> </constructor-arg> <constructor-arg index="2"> <ref bean="hibernatePropertySetFactory" /> </constructor-arg> <constructor-arg index="3"> <ref bean="profileProvider" /> </constructor-arg> <constructor-arg index="4"> <ref bean="accessProvider" /> </constructor-arg> </bean>-->
- Start up Confluence and you should be able to login using the admin account you first set up when running through the Confluence Setup Wizard.
Download and install sample atlassianUserContext.xml
Download ldap_hibernate_cache_atlassianUserContext.xml and rename to atlassianUserContext.xml and copy it to your confluence/WEB-INF/classes directory.
| This file is different from the one downloaded for the migration step above. It contains LDAP settings we've configured for you in advance to make things easier |
Editing atlassianUserContext.xml
Now open the atlassianUserContext.xml file in an editor and search for ldapRepository.
... <!-- LDAP Configuration --> <bean id="ldapRepository" class="com.atlassian.user.impl.ldap.repository.DefaultLDAPRepository" singleton="true" > ...
Configuring the connection between your LDAP system and Confluence
An example connection, in atlassianUserContext.xml, between Confluence and an LDAP system.
<property name="connectionProperties"> <props> <prop key="host">acme.server.com</prop> <prop key="port">389</prop> <prop key="securityPrincipal">cn=admin,dc=atlassian,dc=private</prop> <prop key="securityCredential">secret</prop> <prop key="securityProtocol">plain</prop> <prop key="securityAuthentication">simple</prop> <prop key="baseContext">dc=atlassian,dc=private</prop> <prop key="initialContextFactory">com.sun.jndi.ldap.LdapCtxFactory</prop> <prop key="batchSize">100</prop> </props> </property>
If you are unsure of what to specify or how to determine these values and:
a) you are using Active Directory please see this document.
b) otherwise, please see this document.
Mapping your LDAP Data Information Tree to Confluence
An example configuration of mappings, in atlassianUserContext.xml, between Confluence and an LDAP system.
<property name="schemaMappingsProperties"> <props> <prop key="baseUserNamespace">ou=people,dc=atlassian,dc=private</prop> <prop key="baseGroupNamespace">ou=groups,dc=atlassian,dc=private</prop> <prop key="usernameAttribute">cn</prop> <prop key="userSearchFilter">(objectClass=inetorgperson)</prop> <prop key="firstnameAttribute">givenname</prop> <prop key="surnameAttribute">sn</prop> <prop key="emailAttribute">mail</prop> <prop key="groupnameAttribute">cn</prop> <prop key="groupSearchFilter">(objectClass=groupOfNames)</prop> <prop key="membershipAttribute">member</prop> <prop key="userSearchAllDepths">true</prop> <prop key="groupSearchAllDepths">true</prop> </props> </property>
For further details on this attributes and you are using:
a) Active Directory, please see this document.
b) otherwise please see this document.
Configuring the LDAP Connection Pool
Adjust them as required but we advise you to leave the timeout property to zero.
<constructor-arg> <props> <prop key="com.sun.jndi.ldap.connect.pool.maxsize">0</prop> <prop key="com.sun.jndi.ldap.connect.pool.initsize">10</prop> <prop key="com.sun.jndi.ldap.connect.pool.prefsize">10</prop> <!-- ldap connection pool debugging setting --> <!-- <prop key="com.sun.jndi.ldap.connect.pool.debug">fine</prop>--> <prop key="com.sun.jndi.ldap.connect.pool.protocol">plain ssl</prop> <prop key="com.sun.jndi.ldap.connect.pool.authentication">none simple DIGEST-MD5</prop> <!-- TTL for each conn. in milliseconds. An idle connection reaching this limit will be destroyed.--> <prop key="com.sun.jndi.ldap.connect.pool.timeout">0</prop> </props> </constructor-arg>
It is important that the connection pool timeout value be set to 0, as this will force Atlassian User (via the JNDI layer) to clean up lingering connections that have lived past one request. More information about LDAP pools here
Granting users access to Confluence
We're almost finished. Right now, current registered users that are not in LDAP should be able to login and use Confluence.
However, LDAP users (that also have accounts inside Confluence) must have Confluence 'USE' permission granted to the LDAP groups they belong to before they can access Confluence.
To enable a user in your LDAP system to access Confluence, you need to do one of the following:
- grant the Confluence 'USE" permission to the LDAP group the user currently belongs to. This is done in the Administration > Global Permissions page.
- Alternatively, create a new LDAP group (you must not name it 'confluence-users' or 'confluence-administrators') and repeat the above for thi s group. In future, you only need to grant an LDAP user account membership to this group for them to have access to Confluence.
Having problems with your LDAP configuration?
Please follow these guidelines for creating a new support issue:
Comments (33)
Dec 19, 2005
Eric Sorenson says:
I think this is a typo: <prop key="baseContext=dc=atlassian,dc">private</prop> ...I think this is a typo:
Shouldn't it be:
Dec 19, 2005
Nick Faiz says:
Hi Eric, Thanks for pointing that out. I was midway through rewriting this doc....Hi Eric,
Thanks for pointing that out. I was midway through rewriting this doc. when I was called away.
I should have changed its permission.
Cheers,
Nick
Jan 09, 2006
amin pirzadeh says:
ldapRepository is defined in userDelegationContext.xml in Version: 2.1.1ldapRepository is defined in userDelegationContext.xml in Version: 2.1.1
Feb 27, 2006
Randy Mysliwiec says:
Seems to work great except for now I must enter domain\username or usernam...Seems to work great except for now I must enter domain\username or username@domain.com in the username box.. I would like to be able to just use username. I tried setting <prop key="usernameAttribute">cn</prop> from CN to SAMACCOUNTNAME. Is there someting else to do? I'm using an AD 2003.
Feb 28, 2006
David Loeng says:
Randy, That should just work. If not, could you please submit a support ticket...Randy,
That should just work. If not, could you please submit a support ticket at http://support.atlassian.com with your atlassianUserContext.xml and we'll go from there. (please describe what is not working once you've switched to using sAMAccountname)
Cheers,
Dave
Mar 01, 2006
Andrew Miller says:
For the jar file, do I copy it in named as "atlassianuser0.6.0cpatched.jar"or "a...For the jar file, do I copy it in named as "atlassian-user-0.6.0c-patched.jar"or
"atlassian-user-0.6.0c.jar"? I'm presuming the former (it seems to work that way) but wasn't completely sure.
Mar 01, 2006
David Loeng says:
You do not have to rename it. You only need to remove the old one (that is, atla...You do not have to rename it. You only need to remove the old one (that is, atlassian-user-0.6.0c.jar)
Cheers,
Dave
Mar 06, 2006
Tolga Erdogan says:
Works OK so far, but some remarks: # LDAP connection required for login, even fo...Works OK so far, but some remarks:
All in all, a good leap forward in the right direction!
Mar 13, 2006
Jean Marois says:
I also was unable to login into the local confluence "admin" account when LDAP w...I also was unable to login into the local confluence "admin" account when LDAP was configured. I eventually figured out that our LDAP server also had a "admin" account with, of course, a different password. To get around this I, after disabling LDAP, simply created a new confluence admin account with a name that did not exist on the LDAP server. Worked fine after that.
Mar 15, 2006
Steven Carmody says:
Can someone list the sequence of steps required to get ldap operational? Based o...Can someone list the sequence of steps required to get ldap operational? Based on the comments above, here's what I tried..
I'm using apacheds as myldap server; I'm also using a confluence "personal server" license (easier to do this while I'm testing).
Mar 13, 2006
Jean Marois says:
I also find the performance pretty poor when logged in as an LDAP user. The perf...I also find the performance pretty poor when logged in as an LDAP user. The performance is fine when I access the site as an anonymous user or a local confluence user.
Mar 06, 2006
Andrew Miller says:
In your list of specific LDAP servers that work with Confluence, you might want ...In your list of specific LDAP servers that work with Confluence, you might want to include Novell eDirectory (particularly big in educational environments as well as Fortune 500, etc.). I can vouch that Confluence does work fine with it.
Mar 10, 2006
Wolfram Richter says:
We've encountered a few issues with AD integration: 1) It should be noted somewh...We've encountered a few issues with AD integration:
1) It should be noted somewhere in the documentation, that the user->goup assignment has to be done on the LDAP server.
2) Nested groups are not supported.
3) While login, per group and per user permissions do work, the userlisting of AD integrated groups does not.
Mar 10, 2006
Christian Barthelemy says:
We tried to integrate Confluence with our Active Directory system and passed all...We tried to integrate Confluence with our Active Directory system and passed all the steps described in this page.
I understand that the first step was to activate the external user management in the Administration Module.
How do we achieve Single Sign On to avoid that our user have to enter login/password?
Mar 10, 2006
Christian Barthelemy says:
After we set the External user management on, we achieved all the steps des...After we set the External user management on,* *we achieved all the steps described in this page to connect to our Active Directory.
I understand that the allocation of the users to the groups is done in Active Directory, however I don't understand how we can allocate the permissions to the Active Directory groups in Confluence?
When I try to use the Manage Groups function I get a system error.
How can we get a Single Sign On? Our users should now be recognized through Active Directory and should not neet to sign.
Mar 14, 2006
Justin Waugh says:
I've been trying to get the eval set up to use my company's Active Directory, bu...I've been trying to get the eval set up to use my company's Active Directory, but so far have run into 2 problems.
1. The configuration does not allow for setting the value of javax.naming.referral. This is required to be set to "follow" for certain Active Directory configurations. I worked around this by decompiling the DefaultLDAPRepository class, adding it to the GetJNDIEnv() method, and injecting the recompiled class into the jar.
2. I guess I might have the same problem as the previous comment. When I click on Manage Groups I get a lot of errors in the console: 2006-03-14 15:57:28,136 ERROR [ldap.search.page.LDAPEntityPager] preload At index [0]: null followed by IndexOutOfBoundsExceptions.
Resolution of this issue will most likely be the deciding factor in my company purchasing this product.
Best Regards,
Justin Waugh
Mar 14, 2006
Justin Waugh says:
To follow up on my 2nd problem: In our Active Directory the groups are not in on...To follow up on my 2nd problem:
In our Active Directory the groups are not in one subtree. So lets pretend the root of our directory is dc=mycompany, dc=net.
We have groups in ou=SomeOU, dc=mycompany,dc=net and ou=SomeOtherOU, dc=mycompany,dc=net.
If i specify my baseGroupNamespace as dc=mycompany,dc=net i get the errors (event with groupSearchAllDepths=true).
If i specify my baseGroupNamespace as out=SomeOU, dc=mycompany, dc=net I can see the groups (only in that OU of course) but clicking on the number next to the group name yields an empty list of users for that group.
Mar 14, 2006
Justin Waugh says:
The error I recieve is 20060314 16:07:27,792 ERROR \bucket.user.DefaultUserAcces...The error I recieve is 2006-03-14 16:07:27,792 ERROR [bucket.user.DefaultUserAccessor] getUser javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'dc=airclic,dc=net'
Mar 14, 2006
Justin Waugh says:
Ok last comment I swear :) The problem is that the search filter when look...Ok last comment I swear
The problem is that the search filter when looking up the name is looking like "(sAMAccountName=myusername)" (minus the quotes). Obviously the backslash is causing the problem. I haven't tried to debug the code further to find out the root cause.
Mar 14, 2006
Justin Waugh says:
My backslash got escaped.... the string was (sAMAccountName=myusername\\)My backslash got escaped.... the string was (sAMAccountName=myusername
)
Mar 14, 2006
Justin Waugh says:
I should make use of the preview button. What i can't seem to express appr...I should make use of the preview button. What i can't seem to express appropriately here is that there is a backslash immediately preceding the right parenthesis.
Mar 14, 2006
Justin Waugh says:
Ok, the problem has to do with the usernames. In our Active Directory the common...Ok, the problem has to do with the usernames. In our Active Directory the common name of most users is Lastname\, Firstname. So the dn for a user might be cn=Lastname\, Firstname,ou=SomeOU, dc=mycompany, dc=net.
When trying to browse the members of a group, the search filter is incorrectly specified using the cn value as the username in the search filter. So I might have a user with sAMAccountName=flastname and cn=Lastname\, Firstname. When it goes to look up the user it is using a search filter of (sAMAccountName=LastName\ ) instead of (sAMAccountName=flastname). I can only assume the same goes for viewing a user, as most of the users say "This user isnt in any groups", but only if their cn != sAMAccountName.
I apologize again for the excessive posting.
Mar 15, 2006
David Loeng says:
Justin, We are planning to release a new point release very soon (2.1.5) which...Justin,
We are planning to release a new point release very soon (2.1.5) which should alleviate some of these problems. If they persist in this new release, please submit them at http://support.atlassian.com and we'll happily field them there.
Cheers,
Dave
Mar 17, 2006
Andrew Miller says:
Just a warning that there's a major LDAP bug in 2.1.5 which I just filed a bug o...Just a warning that there's a major LDAP bug in 2.1.5 which I just filed a bug on (locked out all my users except administrators). So....just make sure to login as a regular user as part of your 2.1.5 post-upgrade checking.
Mar 22, 2006
Mark Mayo says:
I hit this one too Andrew, because I had created confluenceusers and confluencea...I hit this one too Andrew, because I had created confluence-users and confluence-administrators groups in LDAP according to the instructions here (that have since changed) when I did my initial 2.1.4 install. It seems that now you can't have LDAP groups by those names, so I granted Global and per-space USE permissions to another LDAP group we have, dropped both of the confluence-* groups from the LDAP tree, restarted Confluence and now both users and administrators can login. Yay!
The LDAP integration is obviously still a moving target, so from now on I'm watching these pages for diffs to be sure I keep on top of things as the developers make changes!
Mar 22, 2006
Andrew Miller says:
Ah....that's rather interesting. I didn't come up with that solution....but fort...Ah....that's rather interesting. I didn't come up with that solution....but fortunately Atlassian was able to supply me with an update jar which did solve all but some cosmetics aspects of the problem (I'm presuming it will be in the next release).
Mar 22, 2006
Mark Mayo says:
Note that Atlassian hasn't confirmed to me that what I'm seeing regarding the gr...Note that Atlassian hasn't confirmed to me that what I'm seeing regarding the group names is in fact an issue, so YMMV. But doing the group name switch-a-roo did seem to fix my user-login system-error, although I'm currently unsure what state Confluence's MySQL tables (SPACEPERMISSIONS in particular) might be in, or for that matter if local Confluence accounts are actually used at all..
I was also supplied with an updated jar file but with it in place authentication fails completely (i.e. nobody can login).
Mar 23, 2006
Andrew Miller says:
Well, just to be on the safe side I changed renamed "confluenceadministrators" t...Well, just to be on the safe side I changed renamed "confluence-administrators" to "Wiki-Administrators_grp" and "confluence-users" to "Wiki-Users_grp". So far things are running and hopefully this will futureproof me against future problems.
I'm very glad you mentioned this in the comments as I'd missed this change on the actual page (I have a "watch" on the page as well but can't actually find when it got revised....I even went back and compared the last 10 or so revisions).
I also browsed the MySQL db and found where Confluence stores its permissions....it's not too hard to figure out the format (especially if using phpmyadmin to do the browsing
.
Mar 23, 2006
Mark Mayo says:
Yeah, I missed it too. The original instructions weren't on this page, because t...Yeah, I missed it too. The original instructions weren't on this page, because there used to be a seperate page for new installs. That's why you can't see it in the revisions. I went back and hunted through the revisions as well to prove to myself that I wasn't imagining things.
Mar 21, 2006