Confluence 3.3 has reached end of life
Check out the [latest version] of the documentation
Deprecated for Confluence 2.7.0 and later
For Confluence 2.7.0 and above, all user management is performed by AtlassianUser as described in Understanding User Management in Confluence. OSUser user management, described in this document, has been deprecated.
For up-to-date instructions on configuring LDAP authentication, see Add LDAP Integration.
Overview
To configure Confluence to connect to LDAP for user management only, you have two options:
- Use LDAP for users and authentication, not groups. That's described in Add LDAP integration, and includes an optional step to remove group management. This method is supported in Confluence versions after version 2.7.
or
- Create and manage users and groups in Confluence, and use LDAP for authentication only. This is the deprecated OSUser management approach, as described in this document. If a username exists in both Confluence and LDAP, the user uses their LDAP password to log in. This method has been deprecated after Confluence version 2.7
Important Points about Option 2 Above
- Only the password lookup is done against LDAP and only if the Confluence username is the same as the LDAP username. Users and user profiles are still managed in Confluence. See technical explanation below.
- A Confluence account must be created for each LDAP user, as users do not automatically have access. For an LDAP user to access Confluence, a site administrator will still need to create an account for them. The password in this Confluence account will be ignored as the LDAP password will override it.
Instructions
Step 1: Modify atlassian-user.xml to use OSUser Management
For Confluence 2.7 and above, the default user repository is the hibernate repository (Atlassian User). To revert to OSUser, you will need to put the OSUser repository tag in the top position so it's the primary user management option. Modify /confluence/WEB-INF/classes/atlassian-user.xml to contain this:
<atlassian-user> <repositories> <osuser key="osuserRepository" name="OSUser Repository"/> <hibernate name="Hibernate Repository" key="hibernateRepository" description="Hibernate Repository" cache="true"/> </repositories> </atlassian-user>
Note: For Confluence version prior to 2.7, if you have delegated your user management to JIRA, LDAP or any other external user management system, copy the following files from your old Confluence installation to your new Confluence installation:
- <Installation-Directory>/confluence/WEB-INF/classes/osuser.xml.
- <Installation-Directory>/confluence/WEB-INF/classes/atlassian-user.xml (if you are upgrading from Confluence 2.2 or later).
Step 2: Open the osuser.xml file located in your home directory under WEB-INF/classes
In the osuser.xml file, the CredentialsProviders are responsible for authenticating passwords. The default CachingCredentialsProvider looks in the Confluence database. To enable LDAP aunthentication, you will need to add a LDAPCredentialsProvider, so that LDAP users can also be authenticated:
Here's what the default osuser.xml contains:
<provider class="bucket.user.providers.CachingCredentialsProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateCredentialsProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingAccessProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateAccessProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingProfileProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateProfileProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider>
Step 3: Edit the osuser.xml file as shown below
For Confluence version 2.1 and later:
<provider class="com.atlassian.confluence.user.ConfluenceLDAPCredentialsProvider"> <property name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</property> <property name="java.naming.provider.url">ldap://localhost:389</property> <property name="searchBase">dc=atlassian,dc=com</property> <property name="uidSearchName">cn</property> <!-- <property name="java.naming.security.principal">cn=Manager,dc=atlassian,dc=com</property> <property name="java.naming.security.credentials">secret</property> <property name="exclusive-access">true</property> --> </provider> <provider class="bucket.user.providers.CachingCredentialsProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateCredentialsProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingAccessProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateAccessProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingProfileProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateProfileProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider>
For older verisons of Confluence
<provider class="com.opensymphony.user.provider.ldap.LDAPCredentialsProvider"> <property name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</property> <property name="java.naming.provider.url">ldap://localhost:389</property> <property name="searchBase">dc=atlassian,dc=com</property> <property name="uidSearchName">cn</property> <!-- <property name="java.naming.security.principal">cn=Manager,dc=atlassian,dc=com</property> <property name="java.naming.security.credentials">secret</property> <property name="exclusive-access">true</property> --> </provider> <provider class="bucket.user.providers.CachingCredentialsProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateCredentialsProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingAccessProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateAccessProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingProfileProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateProfileProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider>
- Update the following properties to suit your LDAP server:
- url (currently set to ldap://localhost:389)
- searchBase (currently set to dc=atlassian,dc=com)
- uidSearchName (currently set to cn)
- url (currently set to ldap://localhost:389)
- If your LDAP server is not configured to allow anonymous lookups, you need to:
- remove comment tags
- enter the username; including searchBase (currently set to cn=Manager,dc=atlassian,dc=com)
- enter password (currently set to secret)
- remove comment tags
The Credentials (password) checking is a separate operation from user-profile lookups. The profile can be loaded from the Confluence database, but the password is looked up from LDAP. Furthermore, multiple credentials providers can be specified (here, LDAP and OSUser), and if one fails, the other will be used. This allows non-LDAP users to log in with their Confluence password.
How this works
It is useful to have a general idea of how this setup works. This section outlines some consequences of this OSUser implementation and provides some help for people experiencing LDAP connection problems.
Only password-checking for LDAP users is done in Confluence
User profiles are still managed in Confluence (by the CachingProfileProvider in osuser.xml). Only the password lookup is performed against LDAP and only if the Confluence username coincides with a LDAP username. This is because Credentials (password) checking is a separate operation to user-profile lookups. The profile can be loaded from the Confluence database, but the password is looked up from LDAP.
Not all LDAP users have Confluence access
Another effect of this implementation is that LDAP users do not automatically have access to Confluence. A Confluence account must be created for each user wishing to use Confluence.
This is because each Confluence user has a set of groups (for example, 'confluence-users') stored in their profile. Without an associated group, that user can do nothing; not even browse Confluence (that is, they lack the 'use' permission).
Thus, for an LDAP user to use Confluence, a Confluence admin must create an account for them and assign them to a group (typically 'confluence-user'). The password in this Confluence account will be ignored, as the LDAP password will override it.
RELATED TOPICS
Content by label
There is no content with the specified labels
Overview
Content Tools
Apps
Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.