This documentation relates to the latest version of Confluence.
If you are using an earlier version, please go to the documentation home page and select the relevant version.

Configuring multiple LDAP repositories

Added by Matt Ryall, last edited by Gurleen Anand on May 17, 2007  (view change)
All Versions
Click for all versions
Confluence 2.9 Documentation

Index

Availability

Confluence 2.3 and above support multiple LDAP servers configured in atlassian-user.xml. Instructions are below.

Confluence releases prior to 2.3 do not support multiple LDAP repositories.

Prerequisites

Before reading this, ensure you understand the configuration details outlined in Customising atlassian-user.xml. This describes how to configure a single LDAP repository in Confluence, and is prerequisite knowledge for following the instructions below.

For brevity, all examples on this page are partial examples. A complete atlassian-user.xml LDAP configuration can be found in Customising atlassian-user.xml.

Configuration

To configure multiple LDAP repositories in Confluence, put multiple <ldap>...</ldap> entries into confluence/WEB-INF/classes/atlassian-user.xml.

The order of the entries in the file will be the order that the repositories are searched for users. That is, if a user tries to log in with the username jsmith, the first repository in atlassian-user.xml will be searched for the user with the username jsmith. If no user is found in that repository, the second repository specified in atlassian-user.xml will be searched.

Here is a partial configuration that connects Confluence to two different LDAP servers. They are given the identifiers ldap1 and ldap2, and connect to the servers ldap-sf.example.org and ldap-nyc.example.org respectively.

<atlassian-user>
    <repositories>
        <ldap key="ldap1" name="San Francisco Example Repository" cache="true">
            <host>ldap-sf.example.org</host>
            <port>389</port>
    
            <!-- ... remainder of server configuration ... -->

        </ldap>

        <ldap key="ldap2" name="New York City Example Repository" cache="true">
            <host>ldap-nyc.example.org</host>
            <port>389</port>
   
            <!-- ... remainder of server configuration ... -->

        </ldap>

        <hibernate key="hibernate" name="Hibernate Repository" description="Hibernate Repository" />
    </repositories>
</atlassian-user>

Points to note:

  • each server must have a unique key attribute
  • each server must include the full LDAP configuration, including baseUserNamespace, baseGroupNamespace and so on
  • Confluence's internal repository, the <hibernate> repository, must be specified last
  • you can include more than two LDAP repositories, but please read the Side effects section below.

Side effects

The main side effect of configuring multiple LDAP servers is degrading performance. There are many activities in Confluence where user or group information is retrieved:

  • logging in
  • user/group searches
  • permission checks when viewing or editing a page.

Confluence tries to cache as much information as possible from the LDAP queries, but almost certainly adding multiple LDAP servers will degrade the performance of the application. This is especially true if any of the LDAP servers are geographically distant from Confluence, where any LDAP query has a significant latency (> 50 ms roundtrip).

Two connections to the same server

It also possible, but not usually recommended, for Confluence to connect twice to the same server. When connecting twice to the same server, you must not have overlapping group or user namespaces in the LDAP tree.

Here is an partial configuration, retrieving two separate LDAP user branches, but only one LDAP group branch. To configure only a single group branch, the group filter in the second LDAP repository searches for a non-existent value so it will not return any results. (This is generally fast as long as your LDAP server has an index on objectClass for the given tree section.)

<atlassian-user>
    <repositories>
        <ldap key="ldap1" name="Example Repository, SF user tree" cache="true">
            <host>ldap.example.org</host>
            <port>389</port>
            <!-- ... remainder of connection configuration ... -->
        
            <!-- user search filter -->
            <baseUserNamespace>cn=San Francisco,dc=ldap,dc=example,dc=org</baseUserNamespace>
            <userSearchFilter>(objectClass=user)</userSearchFilter>
        
            <!-- ... remainder of user configuration ... -->
        
            <!-- group search filter -->
            <baseGroupNamespace>cn=Groups,dc=ldap,dc=example,dc=org</baseGroupNamespace>
            <groupSearchFilter>(objectClass=group)</groupSearchFilter>
        
            <!-- ... remainder of server configuration ... -->
        </ldap>
        <ldap key="ldap2" name="Example Repository, NYC user tree" cache="true">
            <host>ldap.example.org</host>
            <port>389</port>
            <!-- ... remainder of connection configuration ... -->
        
            <!-- user search filter -->
            <baseUserNamespace>cn=New York City,dc=ldap,dc=example,dc=org</baseUserNamespace>
            <userSearchFilter>(objectClass=user)</userSearchFilter>
        
            <!-- ... remainder of user configuration ... -->
        
            <!-- group search filter -->
            <baseGroupNamespace>cn=Groups,dc=ldap,dc=example,dc=org</baseGroupNamespace>
            <groupSearchFilter>(objectClass=nothing)</groupSearchFilter>
        
            <!-- ... remainder of server configuration ... -->
        </ldap>
        <hibernate key="hibernate" name="Hibernate Repository" description="Hibernate Repository" />
    </repositories>
</atlassian-user>

Points to note:

  • each repository will have its own connection pool, so Confluence will use twice as many connections to the LDAP server
  • performance will typically be degraded, as discussed in Side effects above
  • each server must have a unique key attribute
  • each server must include the full LDAP configuration, including baseUserNamespace, baseGroupNamespace and so on
  • Confluence's internal repository, the <hibernate> repository, must be specified last.

Related pages

Customising atlassian-user.xml
Add LDAP Integration

Labels:

ldap ldap Delete
confluence confluence Delete
multiple multiple Delete
repository repository Delete
ad ad Delete
server server Delete
Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.

Comments (4)

 

  1. Sep 17, 2007

    Jean Marois says:

    Instead of using the above approach to supporting multiple forests or subtrees i...

    Instead of using the above approach to supporting multiple forests or subtrees in Active Directory, point to port 3268 on your domain controller's instead of 389. This will enable Confluence to communicate to the Global Controller and will remove the need for multiple ldap entries and following referrals. It also appears to be much faster.

    1. Sep 18, 2007

      Sarah Maddox says:

      Hallo Jean Thank you for your suggestion. I have created JIRA issue CONF9500 CO...

      Hallo Jean

      Thank you for your suggestion. I have created JIRA issue CONF-9500 to investigate and document this.

      Cheers – Sarah

  2. Mar 20

    Anonymous says:

    CONF9500&nbsp; great progress ...

    CONF-9500  - great progress ...

  3. Apr 10

    Anonymous says:

    Hi When using the port 3298 method do you need to also add the names of the mult...

    Hi - When using the port 3298 method do you need to also add the names of the multiple domain? Has this been tested successfully?

Add Comment