Configuring an LDAP Directory Connector

Crowd provides built-in connectors for the most popular LDAP directory servers:

  • Apache Directory Server (ApacheDS)
  • Apple Open Directory
  • Fedora Directory Server
  • Generic LDAP Directories
  • Microsoft Active Directory
  • Novell eDirectory
  • OpenDS
  • OpenLDAP
  • OpenLDAP Using Posix Schema
  • Posix Schema for LDAP
  • Sun Directory Server Enterprise Edition (DSEE)

Before you begin configuring the directory, check for any directory-specific notes that affect the directory type you're using.

Configuring an LDAP directory connector

  1. Log in to the Crowd Administration Console.
  2. Click the Directories link in the top navigation bar. The Directory Browser opens.
  3. Click the Add Directory link. The 'Select Directory Type' screen opens.
  4. Click the 'Connector' button. The 'Create Directory Connector' window opens. 
  5. Complete the configuration information required on each of the tabs to finish setting up the connector.

General configuration notes

  • By default, the Cache Enabled setting on the 'Details' tab is selected. We recommend you leave this setting selected. For more information, see Configuring Caching for an LDAP Directory.
  • If you select the Manage Groups Locally setting on the 'Connector' tab (available only if you've selected the Cache Enabled check box), new groups are created and updated in the Crowd database and not propagated to the LDAP server. Memberships of local groups are also stored locally. This makes it possible to augment the group structure with new groups even with a read-only LDAP server. When this option is enabled, only local groups can be created and updated, while groups synchronized from the remote directory cannot be locally modified.
  • If you select the Use the User Membership setting on the 'Connector' tab, Crowd will use the group membership attribute on the user when it retrieves the members of a given group, which will result in a more efficient retrieval. 
  • If you select the Use 'memberOf for Group Membership setting on the 'Connector' tab, Crowd will use the 'memberOf' attribute when it retrieves the list of groups a users belongs to, which will result in a more efficient retrieval. If you don't select this setting, Crowd will use the members attribute on the group ('member' by default) for the search.
  • Crowd will synchronize user renames made in the LDAP server, provided that the User Unique Identifier Attribute is set in the 'Configuration' tab. If this attribute is not set and a user is renamed in the LDAP server, Crowd will not be able to track the user's identity, and will delete the user with the old name and create a new user with the new name. Crowd does not support group renames.
  • If the directory type you're using guarantees the format of DNs, we recommend selecting the Use Naive DN Matching setting on the 'Connector' tab to allow Crowd to do a direct, case-insensitive, string comparison when it compares DNs. This setting can significantly improve performance. 
  • Specify the Username on the 'Connector' tab in the following format: cn-adminstrator, cn=users, dc=ad, dc=acmecorp, dc=com.
  • If you specify the User Name RDN attribute, the DN for each LDAP entry is composed of two parts: the RDN and the location within the RDN directory where the recored resides. The RDN is the portion of your DN that is not related to the directory tree structure.
  • By default the Synchronise group memberships when logging in option is set to For newly added users only. This will synchronize group memberships for users who have been created in the LDAP directory, but not yet synchronized to Crowd. This is recommended for convenience, without sacrificing performance. Other options are to synchronize the memberships Every time a user logs in, which was the behaviour in Crowd 2.7, 2.8 and 2.9, and to Never synchronise the memberships, which was how Crowd behaved before version 2.7.
  • If you are connecting to the LDAP directory as a user affected by query limits (for example using a DN that is not a RootDN in OpenLDAP, with olcSizeLimit set) some operations might not return all results. Currently it is recommended to connect as a user that is unaffected by limits. 
  • If you have successfully added your connector, but aren't able to see any data when you browse the LDAP directory, make sure that any non-standard object types and filters are configured correctly.

By default, the Active setting on the 'Details' tab is selected. Only clear this setting if you want to prevent all users within the directory from accessing mapped applications. Inactive directories:

  • Are not included when Crowd searches for users, groups, or memberships
  • Still appear in the Crowd Administration Console screens

You can also configure site-wide LDAP connection pool settings. See Configuring the LDAP Connection Pool.

Directory-specific configuration notes

Apache Directory Server (ApacheDS)

Apple Open Directory

  • Crowd's Apple Open Directory support is read-only. You cannot add or update user details or group details in a Crowd-connected OS X Open Directory server. Users will not be able to change their passwords from Crowd or from Crowd-connected applications.
  • Crowd will check both the gidNumber and the memberUid attributes to determine if a user is a member of a group. The name of the gidNumber attribute is not configurable — Crowd will always use this attribute to determine membership.
  • The RFC 2307 schema does not support nesting of groups, so Crowd does not support nested groups in Apple Open Directory.

Fedora Directory Server

  • Crowd supports read-only connections to Fedora DS using the Posix/NIS schema RFC 2307. You cannot add or update user details or group details in a Crowd-connected Fedora Directory server. Users will not be able to change their passwords from Crowd or from Crowd-connected applications.
  • Crowd will check both the gidNumber and the memberUid attributes to determine if a user is a member of a group. The name of the gidNumber attribute is not configurable — Crowd will always use this attribute to determine membership.
  • The RFC 2307 schema does not support nesting of groups, so Crowd does not support nested groups in Fedora DS.

Microsoft Active Directory

  • If you want to use a secure SSL connection, make sure you configure an SSL Certificate before enabling this setting.
  • We recommend selecting the Enable Incremental Sync setting to allow Crowd to retrieve changes made after the last synchronization when possible.
  • Specify the Base DN in the following format: dc=domain1,dc=local. You will need to replace the domain1 and local for your specific configuration. Microsoft Server provides a tool called ldp.exe which is useful for finding out and configuring the the LDAP structure of your server.
  • If you want to use Crowd to add users or change passwords in Microsoft Active Directory, you will need to install an SSL certificated generated by your Active Directory server and then install the certificate into your JVM keystore. Please read the instructions: Configuring an SSL Certificate for Microsoft Active Directory.
  • Crowd will synchronize the user status with Active Directory. If a user account is disabled in Active Directory, the user will be deactivated in Crowd, and reciprocally, if a user is deactivated in Crowd, the user account will be disabled in Active Directory. To prevent this synchronization,  use Manage User Status Locally in the 'Connector' tab.
  • Users' primary groups in Active Directory will be displayed as regular memberships in Crowd. However, you will not be able to change or remove the user's primary group through Crowd's user interface.
  • If you are using a single Active Directory domain, you should disable "Use node referrals" in the directory configuration. If you have a forest, you should read User lookup fails with PartialResultException in Jira server and ensure your DNS server is configured appropriately.
  • We have not tested Crowd integration with Active Directory Application Mode (ADAM). However, ADAM and Active Directory share the same code base, LDAP interface and API. So ADAM should work with Crowd, following the same integration instructions as above. If you try it, we'd be interested to hear of your experiences.
  • Crowd's Filter out expired users feature requires an LDAP connection that exposes the accountExpires attribute. Care should be taken when connecting to the Active Directory Global Catalog as it does not replicate the aforementioned attribute by default. This may cause inconsistent user status in Crowd.

Posix Schema for LDAP or Open LDAP

  • Currently, Crowd supports read-only access to the directory based on the Posix schema. You cannot add or update user details.Crowd supports read-only connections to an LDAP directory using the Posix/NIS schema. This is useful if you have a Unix installation and want to integrate with an LDAP directory. The Posix/NIS schema allows integration between an LDAP directory and the Unix NIS (Network Information Service).
  • Crowd will check both the gidNumber and the memberUid attributes to determine if a user is a member of a group. The name of the gidNumber attribute is not configurable — Crowd will always use this attribute to determine membership.
  • The RFC 2307 schema does not support nesting of groups, so Crowd does not support nested groups in the Posix schema.

 

Last modified on Nov 28, 2017

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.