Configuring an LDAP Directory Connector

Crowd provides built-in connectors for the most popular LDAP directory servers.

Before you begin

Depending on the directory you're using, there might be extra steps that affect your configuration. For more info, see directory-specific notes.

Supported LDAP servers

Here's a list of supported LDAP servers:

  • Apache Directory Server (ApacheDS)
  • Apple Open Directory
  • Fedora Directory Server
  • Generic LDAP Directories
  • Microsoft Active Directory
  • Novell eDirectory
  • OpenDS
  • OpenLDAP
  • OpenLDAP Using Posix Schema
  • Posix Schema for LDAP
  • Sun Directory Server Enterprise Edition (DSEE)

Configuring an LDAP directory connector

To configure an LDAP directory connector:

  1. Log in to the Crowd Administration Console.
  2. In the top navigation bar, click Directories.
    The Directory Browser opens.
  3. Click Add Directory
  4. Select Connector.
  5. Complete the configuration information required on each of the tabs to finish setting up the connector. Look at the section below for important notes related to each tab.

Configuration notes for each tab

Below you can find important configuration notes for each tab:

Details

Cache enabled

This option is selected by default. We recommend you leave this setting selected. For more information, see Configuring Caching for an LDAP Directory.

(warning) Active

This option is selected by default. Only clear this setting if you want to prevent all users within the directory from accessing mapped applications. Inactive directories:

  • Are not included when Crowd searches for users, groups, or memberships
  • Still appear in the Crowd Administration Console screens
Connector

Manage groups locally

If you select this option (available only with cache enabled), new groups are created and updated in the Crowd database, and not propagated to the LDAP server. Memberships of local groups are also stored locally. This makes it possible to augment the group structure with new groups even with a read-only LDAP server. When this option is enabled, only local groups can be created and updated, while groups synchronized from the remote directory cannot be locally modified.

Use the User Membership

If you select this option, Crowd will use the group membership attribute on the user when it retrieves the members of a given group, which results in a more efficient retrieval.

Use 'memberOf' for Group Membership

If you select this option, Crowd will use the 'memberOf' attribute when retrieving the list of groups a user belongs to, which results in a more efficient retrieval. If you don't select it, Crowd uses the members attribute on the group ('member' by default) for the search.

Username

Specify the username in the following format: cn-adminstrator, cn=users, dc=ad, dc=acmecorp, dc=com.

Synchronise group memberships when logging in

By default, this option is set to For newly added users only. This will synchronize group memberships for users who have been created in the LDAP directory, but not yet synchronized to Crowd. This is recommended for convenience, without sacrificing performance. Other options are to synchronize the memberships Every time a user logs in, which was the behaviour in Crowd 2.7, 2.8 and 2.9, and to Never synchronise the memberships, which was how Crowd behaved before version 2.7.

Connection timeout

This parameter works differently depending on the type of LDAP connection pool you're using. 

  • Dynamic pool: It only specifies the time limit for connecting to a directory.
  • JNDI pool: It specifies both the time limit for connecting to a directory, and the max time the pool waits for a connection to be returned after it has been exhausted.

For the Dynamic pool, the max time the pool waits for a connection to be returned is specified by separate parameters that can be configured on the LDAP connection pooling tab. These parameters are 'Wait when exhausted' and 'Max time'.

Configuration

User Unique Identifier Attribute

If this attribute is set, Crowd will sync user renames made in the LDAP server.

If this attribute is not set and a user is renamed in the LDAP server, Crowd will not be able to track the user's identity, and will delete the user with the old name and create a new user with the new name. Crowd does not support group renames.

User Name RDN attribute

If you specify this parameter, the DN for each LDAP entry is composed of two parts: the RDN and the location within the RDN directory where the recored resides. The RDN is the portion of your DN that is not related to the directory tree structure.

LDAP connection pooling

You can use this tab to configure LDAP connection pooling for your directory, which significantly improves performance. For more info, see LDAP connection pooling.

Other configuration notes
  • If you are connecting to the LDAP directory as a user affected by query limits (for example using a DN that is not a RootDN in OpenLDAP, with olcSizeLimit set) some operations might not return all results. Currently it is recommended to connect as a user that is unaffected by limits. 
  • If you have successfully added your connector, but aren't able to see any data when you browse the LDAP directory, make sure that any non-standard object types and filters are configured correctly.

No important notes for the Permissions and Options tabs.

Directory-specific configuration notes

Expand an entry for the directory you're using to check for configuration notes.

Apache Directory Server (ApacheDS)

There are two known issues with ApacheDS and Crowd:

Apple Open Directory
  • Crowd's Apple Open Directory support is read-only. You cannot add or update user details or group details in a Crowd-connected OS X Open Directory server. Users will not be able to change their passwords from Crowd or from Crowd-connected applications.
  • Crowd will check both the gidNumber and the memberUid attributes to determine if a user is a member of a group. The name of the gidNumber attribute is not configurable — Crowd will always use this attribute to determine membership.
  • The RFC 2307 schema does not support nesting of groups, so Crowd does not support nested groups in Apple Open Directory.
Fedora Directory Server
  • Crowd supports read-only connections to Fedora DS using the Posix/NIS schema RFC 2307. You cannot add or update user details or group details in a Crowd-connected Fedora Directory server. Users will not be able to change their passwords from Crowd or from Crowd-connected applications.
  • Crowd will check both the gidNumber and the memberUid attributes to determine if a user is a member of a group. The name of the gidNumber attribute is not configurable — Crowd will always use this attribute to determine membership.
  • The RFC 2307 schema does not support nesting of groups, so Crowd does not support nested groups in Fedora DS.
Microsoft Active Directory
  • If you want to use a secure SSL connection, make sure you configure an SSL Certificate before enabling this setting.
  • We recommend selecting the Enable Incremental Sync setting to allow Crowd to retrieve changes made after the last synchronization when possible.
  • Specify the Base DN in the following format: dc=domain1,dc=local. You will need to replace the domain1 and local for your specific configuration. Microsoft Server provides a tool called ldp.exe which is useful for finding out and configuring the the LDAP structure of your server.
  • If you want to use Crowd to add users or change passwords in Microsoft Active Directory, you will need to install an SSL certificated generated by your Active Directory server and then install the certificate into your JVM keystore. Please read the instructions: Configuring an SSL Certificate for Microsoft Active Directory.
  • Crowd will synchronize the user status with Active Directory. If a user account is disabled in Active Directory, the user will be deactivated in Crowd, and reciprocally, if a user is deactivated in Crowd, the user account will be disabled in Active Directory. To prevent this synchronization,  use Manage User Status Locally in the 'Connector' tab.
  • Users' primary groups in Active Directory will be displayed as regular memberships in Crowd. However, you will not be able to change or remove the user's primary group through Crowd's user interface.
  • If you are using a single Active Directory domain, you should disable "Use node referrals" in the directory configuration. If you have a forest, you should read User lookup fails with PartialResultException in Jira server and ensure your DNS server is configured appropriately.
  • We have not tested Crowd integration with Active Directory Application Mode (ADAM). However, ADAM and Active Directory share the same code base, LDAP interface and API. So ADAM should work with Crowd, following the same integration instructions as above. If you try it, we'd be interested to hear of your experiences.
  • Crowd's Filter out expired users feature requires an LDAP connection that exposes the accountExpires attribute. Care should be taken when connecting to the Active Directory Global Catalog as it does not replicate the aforementioned attribute by default. This may cause inconsistent user status in Crowd.
Posix Schema for LDAP or Open LDAP
  • Currently, Crowd supports read-only access to the directory based on the Posix schema. You cannot add or update user details.Crowd supports read-only connections to an LDAP directory using the Posix/NIS schema. This is useful if you have a Unix installation and want to integrate with an LDAP directory. The Posix/NIS schema allows integration between an LDAP directory and the Unix NIS (Network Information Service).
  • Crowd will check both the gidNumber and the memberUid attributes to determine if a user is a member of a group. The name of the gidNumber attribute is not configurable — Crowd will always use this attribute to determine membership.
  • The RFC 2307 schema does not support nesting of groups, so Crowd does not support nested groups in the Posix schema.
Last modified on Nov 24, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.