OpenDirectory is an LDAP server (and more) bundled with Apple MacOS X Server. It uses OpenLDAP, but requires some tweaks to the default atlassian-user configuration in order to be usable.
LDAP Connection Pool
The default connection pool configuration binds against the LDAP server and tries to connect using SSL. By default, anonymous binds are enabled, and SSL is disabled, so the following lines are required:
<securityAuthentication>none</securityAuthentication> <securityProtocol>plain</securityProtocol>
User Mappings
The baseuserNamespace attribute should be set to your baseContext, prepended by cn=users:
<baseUserNamespace>cn=users,dc=MYCOMPANY,dc=com</baseUserNamespace>
The username attribute is uid, like OpenLDAP, but the userSearchFilter and firstnameAttribute differ:
<usernameAttribute>uid</usernameAttribute> <userSearchFilter>(objectClass=inetOrgPerson)</userSearchFilter> <firstnameAttribute>givenName</firstnameAttribute> <surnameAttribute>sn</surnameAttribute> <emailAttribute>mail</emailAttribute>
Group Mappings
The baseGroupNamespace attribute should be set to your baseContext, prepended by cn=groups:
<baseGroupNamespace>cn=groups,dc=MYCOMPANY,dc=com</baseGroupNamespace>
Groups are defined by cn, and are of type posixGroup (and not group):
<groupnameAttribute>cn</groupnameAttribute> <groupSearchFilter>(objectClass=posixGroup)</groupSearchFilter>
OpenDirectory implements static groups, which allows group membership to work properly. However, the full user dn is not stored against the group record. Instead, it is just the uid (in the memberUid attribute). Calling ldapsearch on a group entry produces the following:
# COMPANY-staff, groups, MYCOMPANY.com dn: cn=COMPANY-staff,cn=groups,dc=MYCOMPANY,dc=com objectClass: posixGroup objectClass: apple-group objectClass: extensibleObject objectClass: top gidNumber: 1026 apple-generateduid: E1AF0A11-5068-4AB6-B6BF-5252AE40E2FB apple-group-realname: COMPANY-staff cn: COMPANY-staff description: COMPANY Staff Members apple-group-memberguid: A9373112-44C6-4C28-8D9F-7F42E9CA9D7B apple-group-memberguid: 34D34DE3-51F1-4C96-B1D1-037D2DD5FE7D apple-group-memberguid: A77A7157-4923-45C4-BE5E-9AD59EA88A1D apple-group-memberguid: E70E5E6A-7243-485D-8620-250BF75B171C memberUid: john memberUid: jane memberUid: fred memberUid: mathew
As a result, an undocumented setting needs to be enabled in the configuration, which allows the unqualifed uid to be used. (Thanks to Tom for pointing this out to me.) The following entries will allow group membership on OpenDirectory to work:
<membershipAttribute>memberUid</membershipAttribute>
<useUnqualifiedUsernameForMembershipComparison>true</useUnqualifiedUsernameForMembershipComparison>
A sanitised [atlassian-user.xml] file is attached to this page. Simply replace MYCOMPANY and the connection details, at it should work. (At least for Confluence 2.2.)