The Difference Between Delegated and Connector LDAP User Directories

Still need help?

The Atlassian Community is here for you.

Ask the community

Background

There are two methods for Confluence to directly interface with LDAP for user management. Please see Configuring User Directories for an overview.

Administrators may be wondering when and why to use each type of directory. This article aims to describe the technical differences of these directory types in further detail.

Directory Types


DELEGATEDCONNECTOR
Overview

Also known as "Internal Directory with LDAP Authentication". As the name implies, you can think of this type of directory as an Internal Directory, but when it comes to authenticating users, Confluence will reach out to LDAP for the verification of the user's inputted credentials. Like an Internal Directory, an administrator can add/remove/update users locally via the Confluence UI.

The directory type also offers some options to assist the admin:

  • If the user does not exist, the directory can automatically create the user upon successful authentication
  • Additional option to update this single user's information (email, display name, etc.) upon successful authentication
  • Additional option to pull in the user's LDAP group memberships upon successful authentication (and automatically create any groups that do not yet exist in Confluence)

The important thing to note is that all of these options are based on user authentication and on a per-user basis only. This means that users will not exist in Confluence until an admin manually creates them, or if they are auto-created upon successful authentication (with the option to do so configured).

It also means that any users that are removed/disabled from the LDAP side will never be automatically removed/disabled in Confluence, since the user cannot log in at that point to trigger changes to that account.

The main advantage of a Connector is that it proactively reaches out to LDAP to update user/group/membership information on a configurable time interval. This means that changes on the LDAP side, including adding/removing users, changing user details, changing group memberships, will be regularly updated in the Confluence database without requiring users to log in or an admin having to manually update users.

In addition to the interval-based syncs, the directory will also update a user's details and groups on a per-user basis when that user logs in.

Read/Write options to LDAP

Only has Read permission to LDAP. Does not have the option nor ability to Write (i.e. make changes) back up to LDAP.

In addition to Read-Only options, this directory type has the option to use "Read/Write", which allows it to push user changes made in Confluence back upstream to LDAP (assuming the bind user is permitted to make such changes in the LDAP server in the first place).

Updating user management data

Does not proactively reach out to synchronize LDAP users, groups, or group memberships. LDAP information is pulled in upon authentication of a given user, on a per-user basis (and if the options to do so have been selected).

Proactively synchronizes LDAP users, groups, and group memberships from the LDAP server down into the Confluence database, on a configurable time interval (default: 1 hour). This means that changes on the LDAP side, including adding/removing users, changing user details, changing group memberships, will be regularly updated in the Confluence database without requiring users to log in or perform any actions.
Placing users in local groupsBoth directory types have the option to place an LDAP user into a local Confluence group after the user logs in for the very first time.Both directory types have the option to place an LDAP user into a local Confluence group after the user logs in for the very first time.
Use this directory type if...
  • You have a very large LDAP directory but only a small subset of users/groups are relevant to Confluence. However, you are not able to configure your LDAP filters such that only this subset of users/groups are within the search scope. A DELEGATED directory can help in this case, to avoid potential performance impact since a CONNECTOR might spend too much time syncing a large dataset.
  • Most customers will benefit from using a Connector as its proactive syncing means LDAP changes are automatically reflected in Confluence.
  • You would like to be able to make user/group changes in Confluence, and automatically push those changes upstream to LDAP (this is an option; not required).
Don't use this directory type if...
  • You require LDAP changes to be kept up-to-date in Confluence, even for users that have not logged in for a long time.
  • You require users who have not ever logged in to appear in Confluence.
  • You require users who have been removed/disabled in LDAP to automatically be removed/disabled in Confluence without admin intervention
  • You have a huge LDAP directory and do not have a meaningful way to filter down users/groups relevant to Confluence using a Base DN or LDAP filter. Using a CONNECTOR would mean long sync times and pulling in way too many irrelevant users. The action of syncing a directory costs Confluence resources (in terms of CPU/memory/database connections) and therefore if Confluence has to sync a huge dataset, there is a potential for negative performance impact.
Last modified on Mar 21, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.