Crowd provides built-in connectors for the most popular LDAP directory servers:
- Apache Directory Server (ApacheDS)
- Apple Open Directory
- Fedora Directory Server
- Generic LDAP Directories
- Microsoft Active Directory
- Novell eDirectory
- OpenDS
- OpenLDAP
- OpenLDAP Using Posix Schema
- Posix Schema for LDAP
- Sun Directory Server Enterprise Edition (DSEE)
Before you begin configuring the directory, check for any directory-specific notes that affect the directory type you're using.
Configuring an LDAP directory connector
- Log in to the Crowd Administration Console.
- Click the Directories link in the top navigation bar. The Directory Browser opens.
- Click the Add Directory link. The 'Select Directory Type' screen opens.
- Click the 'Connector' button. The 'Create Directory Connector' window opens.
- Complete the configuration information required on each of the tabs to finish setting up the connector.
General configuration notes
- By default, the Cache Enabled setting on the 'Details' tab is selected. We recommend you leave this setting selected. For more information, see Configuring Caching for an LDAP Directory.
- If you select the Manage Groups Locally setting on the 'Connector' tab (available only if you've selected the Cache Enabled check box), new groups are created and updated in the Crowd database and not propagated to the LDAP server. Memberships of local groups are also stored locally. This makes it possible to augment the group structure with new groups even with a read-only LDAP server. When this option is enabled, only local groups can be created and updated, while groups synchronised from the remote directory cannot be locally modified.
- If you select the Use the User Membership setting on the 'Connector' tab, Crowd will use the group membership attribute on the user when it retrieves the members of a given group, which will result in a more efficient retrieval.
- If you select the Use 'memberOf for Group Membership setting on the 'Connector' tab, Crowd will use the 'memberOf' attribute when it retrieves the list of groups a users belongs to, which will result in a more efficient retrieval. If you don't select this setting, Crowd will use the members attribute on the group ('member' by default) for the search.
- Crowd will synchronise user renames made in the LDAP server, provided that the User Unique Identifier Attribute is set in the 'Configuration' tab. If this attribute is not set and a user is renamed in the LDAP server, Crowd will not be able to track the user's identity, and will delete the user with the old name and create a new user with the new name. Crowd does not support group renames.
- If the directory type you're using guarantees the format of DNs, we recommend selecting the Use Naive DN Matching setting on the 'Connector' tab to allow Crowd to do a direct, case-insensitive, string comparison when it compares DNs. This setting can significantly improve performance.
- Specify the Username on the 'Connector' tab in the following format:
cn-adminstrator, cn=users, dc=ad, dc=acmecorp, dc=com
. - If you specify the User Name RDN attribute, the DN for each LDAP entry is composed of two parts: the RDN and the location within the RDN directory where the recored resides. The RDN is the portion of your DN that is not related to the directory tree structure.
- If you have successfully added your connector, but aren't able to see any data when you browse the LDAP directory, make sure that any non-standard object types and filters are configured correctly.
By default, the Active setting on the 'Details' tab is selected. Only clear this setting if you want to prevent all users within the directory from accessing mapped applications. Inactive directories:
- Are not included when Crowd searches for users, groups, or memberships
- Still appear in the Crowd Administration Console screens
You can also configure site-wide LDAP connection pool settings. See Configuring the LDAP Connection Pool.
Directory-specific configuration notes
Apache Directory Server (ApacheDS)
- There are two known issues with ApacheDS and Crowd:
- ApacheDS 1.0.2 does not support password resets without a restart. This is an ApacheDS limitation.
- ApacheDS does not support paged results. CWD-1109: Cannot browse users or groups if Use Paged Results is enabled. Again, this is an ApacheDS limitation.
Apple Open Directory
- Crowd's Apple Open Directory support is read-only. You cannot add or update user details or group details in a Crowd-connected OS X Open Directory server. Users will not be able to change their passwords from Crowd or from Crowd-connected applications.
- Crowd will check both the
gidNumber
and thememberUid
attributes to determine if a user is a member of a group. The name of thegidNumber
attribute is not configurable — Crowd will always use this attribute to determine membership. - The RFC 2307 schema does not support nesting of groups, so Crowd does not support nested groups in Apple Open Directory.
Fedora Directory Server
- Crowd supports read-only connections to Fedora DS using the Posix/NIS schema RFC 2307. You cannot add or update user details or group details in a Crowd-connected Fedora Directory server. Users will not be able to change their passwords from Crowd or from Crowd-connected applications.
- Crowd will check both the
gidNumber
and thememberUid
attributes to determine if a user is a member of a group. The name of thegidNumber
attribute is not configurable — Crowd will always use this attribute to determine membership. - The RFC 2307 schema does not support nesting of groups, so Crowd does not support nested groups in Fedora DS.
Microsoft Active Directory
- If you want to use a secure SSL connection, make sure you configure an SSL Certificate before enabling this setting.
- We recommend selecting the Enable Incremental Sync setting to allow Crowd to retrieve changes made after the last synchronisation when possible.
- Specify the Base DN in the following format:
dc=domain1,dc=local
. You will need to replace thedomain1
andlocal
for your specific configuration. Microsoft Server provides a tool calledldp.exe
which is useful for finding out and configuring the the LDAP structure of your server. - If you want to use Crowd to add users or change passwords in Microsoft Active Directory, you will need to install an SSL certificated generated by your Active Directory server and then install the certificate into your JVM keystore. Please read the instructions: Configuring an SSL Certificate for Microsoft Active Directory.
- Crowd will synchronise the user status with Active Directory. If a user account is disabled in Active Directory, the user will be deactivated in Crowd, and reciprocally, if a user is deactivated in Crowd, the user account will be disabled in Active Directory. To prevent this synchronisation, use Manage User Status Locally in the 'Connector' tab.
- Users' primary groups in Active Directory will be displayed as regular memberships in Crowd. However, you will not be able to change or remove the user's primary group through Crowd's user interface.
- We have not tested Crowd integration with Active Directory Application Mode (ADAM). However, ADAM and Active Directory share the same code base, LDAP interface and API. So ADAM should work with Crowd, following the same integration instructions as above. If you try it, we'd be interested to hear of your experiences.
Posix Schema for LDAP or Open LDAP
- Crowd will check both the
gidNumber
and thememberUid
attributes to determine if a user is a member of a group. The name of thegidNumber
attribute is not configurable — Crowd will always use this attribute to determine membership. - The RFC 2307 schema does not support nesting of groups, so Crowd does not support nested groups in the Posix schema.