Skip to end of metadata
Comment: Migrated to Confluence 4.0
Go to start of metadata

Anonymous authentication is configured in the confluence/WEB-INF/classes/atlassian-user.xml file.

Normally, if an LDAP server requires authentication before permitting a search, this snippet is required in the atlassian-user.xml file:

To enable anonymous authentication - replace these 4 lines with:

Notice that I have completely removed the statements for securityPrincipal and securityCredential. I have also changed the value of the securityAuthentication from simple to none.

Labels:
None
Edit Labels

5 Comments

Hide/Show Comments

  1. Nov 29, 2007

    Leandro Marolla

    Hi, so far I was able to sync Active Directory with confluence, however I have a couple of question regarding security.

    1. Is there any posibility to hide or encrypt the <securityCredential> field? Since we don't want the admin password let loose there.
    2. What about LDAP users credentials, are the users passwords stored by confluence in a particular db or the system only checks the credentials against AD and never store this info locally?

    Thanks

  2. Jan 10, 2008

    Shashwat

    Hi There,

    Nothing much , I am just testing confuluence

  3. May 23, 2008

    Matt Howell

    I agree with Leandro.  Is there any way to encrypt the securityCredential value?  Or potentially store it in the Conflence database?  I view both options (setting up anonymous authentication versus storing credentials in clear text) as really poor designs.

  4. Sep 23, 2010

    Mark Moynihan

    I totally agree with Leandro.

    This could be a deal breaker for us.

  5. Sep 30, 2010

    Andrew Doull

    For everyone worried about having the password in plain text - you should be configuring NTFS security to make this file only readable by the account that runs the Tomcat Apache process (either a service account or user account). That will prevent anyone else reading the password from the file. This is the correct mechanism for securing this password.