You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Editing atlassianUserContext.xml

Now open the atlassianUserContext.xml file in an editor and search for ldapRepository.

A segment of atlassianUserContext.xml
...

<!-- LDAP Configuration -->
<bean id="ldapRepository" class="com.atlassian.user.impl.ldap.repository.DefaultLDAPRepository" singleton="true" >
...

Configuring the connection between your LDAP system and Confluence

An example connection, in atlassianUserContext.xml, between Confluence and an LDAP system.

        <property name="connectionProperties">
            <props>
                <prop key="host">acme.server.com</prop>
                <prop key="port">389</prop>
                <prop key="securityPrincipal">cn=admin,dc=atlassian,dc=private</prop>
                <prop key="securityCredential">secret</prop>
                <prop key="securityProtocol">plain</prop>
                <prop key="securityAuthentication">simple</prop>
                  <prop key="baseContext">dc=atlassian,dc=private</prop>
                <prop key="initialContextFactory">com.sun.jndi.ldap.LdapCtxFactory</prop>
                <prop key="batchSize">100</prop>
            </props>
        </property>

If you are unsure of what to specify or how to determine these values and:

a) you are using Active Directory please see this document.
b) otherwise, please see this document.

Mapping your LDAP Data Information Tree to Confluence

An example configuration of mappings, in atlassianUserContext.xml, between Confluence and an LDAP system.

        <property name="schemaMappingsProperties">
            <props>
                <prop key="baseUserNamespace">ou=people,dc=atlassian,dc=private</prop>
                <prop key="baseGroupNamespace">ou=groups,dc=atlassian,dc=private</prop>
                <prop key="usernameAttribute">cn</prop>
                <prop key="userSearchFilter">(objectClass=inetorgperson)</prop>
                <prop key="firstnameAttribute">givenname</prop>
                <prop key="surnameAttribute">sn</prop>
                <prop key="emailAttribute">mail</prop>
                <prop key="groupnameAttribute">cn</prop>
                <prop key="groupSearchFilter">(objectClass=groupOfNames)</prop>
                <prop key="membershipAttribute">member</prop>
                <prop key="userSearchAllDepths">true</prop>
                <prop key="groupSearchAllDepths">true</prop>
            </props>
        </property>

For further details on this attributes and you are using:

a) Active Directory, please see this document.
b) otherwise please see this document.

Configuring the LDAP Connection Pool

Adjust them as required but we advise you to leave the timeout property to zero.

Configuring an LDAP connection pool in the ldapRepository bean
     <constructor-arg>
           <props>
                <prop key="com.sun.jndi.ldap.connect.pool.maxsize">0</prop>
                <prop key="com.sun.jndi.ldap.connect.pool.initsize">10</prop>
                <prop key="com.sun.jndi.ldap.connect.pool.prefsize">10</prop>
               <!-- ldap connection pool debugging setting -->
<!--                <prop key="com.sun.jndi.ldap.connect.pool.debug">fine</prop>-->
                <prop key="com.sun.jndi.ldap.connect.pool.protocol">plain ssl</prop>
                <prop key="com.sun.jndi.ldap.connect.pool.authentication">none simple DIGEST-MD5</prop>
                <!-- TTL for each conn. in milliseconds. An idle connection reaching this limit will be destroyed.-->
                <prop key="com.sun.jndi.ldap.connect.pool.timeout">0</prop>
            </props>
       </constructor-arg>

It is important that the connection pool timeout value be set to 0, as this will force Atlassian User (via the JNDI layer) to clean up lingering connections that have lived past one request. More information about LDAP pools here

#multiple-ldap

Configuring access to multiple LDAP respositories (or multiple base paths, domains etc)

This advice is experimental

You only have to do this if you want to use more than one LDAP repository or base path

To provide additional LDAP repositories or even different repository paths within a single repository, it is necessary to configure additional LDAP beans.

Copy and paste your current LDAP repository configuration bean and give it a different ID

Additonal LDAP repository configuration
<!-- LDAP Configuration -->
<bean id="otherLdapRepository" class="com.atlassian.user.impl.ldap.repository.DefaultLDAPRepository" singleton="true" >
...

Configure this bean as above to use the additional LDAP server and/or base path.

Add another authenticator to use the new repository.

Adding another LDAP authenticator
<bean id="otherLdapAuthenticator" class="com.atlassian.user.impl.ldap.security.authentication.DefaultLDAPAuthenticator" singleton="true">
	<constructor-arg index="0">
               <ref bean="otherLdapRepository"/>
        </constructor-arg>
</bean>

Finally, add this authenticator to the list of authenticators Confluence will check. Search for authenticator and add the new LDAP repository as below.

Adding a repository to the authenticator
<bean id="authenticator" class="com.atlassian.user.impl.delegation.security.authentication.DelegatingAuthenticator" singleton="true">
	<constructor-arg index="0">
            <ref bean="userManager"/>
        </constructor-arg>
	<constructor-arg index="1">
	<list>
            <ref bean="ldapAuthenticator"/>
            <ref bean="otherLdapAuthenticator"/> <!-- Add additional authenticators here -->
            <ref bean="hibernateAuthenticator"/>
        </list>
        </constructor-arg>
</bean>
  • No labels

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.