Restricting LDAP Scope for User and Group Search

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

While you should already know the user DN (Distinguished Name) you are using for your LDAP connection, it can be helpful to review the users and groups in Apache Directory Studio to determine the best scope for your Crowd LDAP directory configuration.

Crowd comes with default configurations that will work for most customers. In the examples below, we illustrate some common options for changing your user and group configurations.

There are a number of other attributes, not shown here, that can also be used to narrow the scope of users and groups.

Important Search Filter Notes

  • If you are unfamiliar with LDAP search filter syntax, please review this guide.
  • See Creating a Connection to your LDAP Directory for details of how to connect Apache Directory Studio to your LDAP directory.
  • In order to use Object Filters larger than 255 characters, you will need to upgrade to Crowd to 1.5.1 or later, by installing a new Crowd instance (with a new database) and restoring an XML backup from your previous Crowd installation. For more information on upgrading Crowd please review the Upgrade Guide
  • If you are using Nested Groups in Crowd, your group filter must include all sub-groups to pick up the sub-group members

On this page:

Example 1. Using a User's DN for Crowd Configuration

  1. Find a user in the scope you wish to use for Crowd. Highlight that user in Apache Directory Studio.

    Screenshot: User information in Apache Directory Studio

  2. Using the information about the user dmcgahan, you can narrow down the users returned in the Crowd directory to those in cn=Users who are members of either the confluence-users or the confluence-administratorsgroup.

    User DN:

    cn=Users

    User Object Filter:

    (&(objectCategory=Person)(sAMAccountName=*)
    (|(memberOf=cn=confluence-users,ou=Groups,dc=sydney,dc=atlassian,dc=com)
    (memberOf=cn=confluence-administrators,ou=Groups,dc=sydney,dc=atlassian,dc=com)))



    Screenshot: The resulting user configuration in Crowd

Example 2: Using a Group's DN for Crowd Configuration

  1. Find a group in the scope you wish to use for Crowd. Highlight that group in Apache Directory Studio.

    Screenshot: Group information in Apache Directory Studio

  2. Using the information about the group confluence-users, you can narrow down the groups returned in the Crowd directory to those in ou=Groups and return only the confluence-users or the confluence-administratorsgroup. Under most circumstances, it is best to apply any changes to both group and role configuration for consistency.

    Group DN:

    ou=Groups

    Group Object Filter:

    (&(objectCategory=Group)(|(cn=confluence-users)(cn=confluence-administrators)))



    Screenshot: The resulting group/role configuration in Crowd

RELATED TOPICS

Using Apache Directory Studio for LDAP Configuration

Last modified on Oct 14, 2014

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.