Auto-login and local users

Hello, 

My users are logged automatically in confluence (without any login page).

Is there a way to log with admin account even if all active directoy servers are down ?

And does the user cache remains after a reboot ?


We have our technical  documentation on that system and it should be available even with part of your infrastructure down ( i.e. Active Directory)


I am using Confluence HTTP Authenticator (and no budget for shinnny paid SSO solutions, unfortunately). 

11 answers

Hi Anael,

Yes, it is possible to login with admin rights even if your AD server is down.

In this case you would login as a internal administrator, which is stored in the Confluence Internal Directory. Of course, this directory must be enabled for this to work. We don't suggest you disable the Internal directory.

You can identify and recover the password for the local administrator following the instructions from this article.

Regards,
LM

1 vote

Hi Anael,

I believe it depends on the order of the user directories in confluence. If the internal directory is on the first position, then even if the LDAP crashes, you can still login with the internal admin. However if the LDAP is on the first position, the instance will fail with the sync and the subsequent logins won't work.

Regards,

Rodrigo

Even with the correct order my Confluence HTTP Authenticator don't allow local users login.

It all depends on what solution you are using for SSO - can you share more details? Some SSO solutions (like our EasySSO) provide means to skip SSO via a special URL and revert to regular application (Confluence) login page. You ability to login with an account then depends on how the application is configured - if the account is local then it should be possible. Re: user cache - please elaborate what cache is meant and where.

Thanks Luiz,

I have the internal directory enabled and I have set a dummy admin account and set its password.

I have tried to login using that admin account, but no luck  unable to login. If I delete the LDAP config I can login with that admin user so the account seems properly set.

Should I use any directory-prefix when I try to login with a local account?   (like   Internal\dummyAdmin)

 

Bruno Vincent Community Champion Sep 03, 2015

Hi Anael, Another option would be to use Crowd. You would configure Confluence to use Crowd as its user management system and link Crowd to two different directories: 1/ Active Directory 2/ An internal Crowd directory in which you would have your local admin accounts. You would then be able to log onto Confluence with your admin accounts even if Active Directory is down. My 2 cents :-) Best regards, Bruno

As Rodrigo mentions below - check the sequence of directories. I suppose since the login is a "dummy" one - a user with the same login doesn't exist in the LDAP/AD directory.

And the question still remains - how does this map to your "my users are being logged in automatically" i.e. SSO solution. Would yo be using this account only when SSO fails i.e. your SSO solution does have a fallback URL (the regular login page)?

It don't seems I can have a fallback URL with "Confluence HTTP Authenticator". I will dig the documentation to find if it exists.

I am using Confluence HTTP Authenticator (and no budget for shinnny paid SSO solutions, unfortunately).

I could use a workaround with a script when an issue occrurs :
Replace the configuration with the SSO-config to be able to login on the wiki.

After the problem is solved : another script to set the SSO-config back in place.

Bruno Vincent Community Champion Sep 04, 2015

Hi Anael, I certainly do not want to go on and on about this, I did get that you do not have extra budget for any other software or integration right now. However I just wanted to let you let you know about a successful configuration that I have just tested in two minutes time on my test environment. It might be interesting for you if you don't find any other solution. So, as I wrote earlier, I configured Confluence to use Crowd and I linked Crowd to an internal directory containing the local admin accounts and an AD Active Directory containing the Windows users accounts. Windows SSO (no login page) is provided by this add-on: https://marketplace.atlassian.com/plugins/com.cleito.iwaac I stopped the AD domain controller so as to simulate a problem and I was still able to login to Confluence using the local admin accounts without changing any configuration file. Hope this might help. Best regards, Bruno

So, SSO happens before Confluence (probably in front-facing Apache?). This is where a "bypass" needs to be configured and the questions about "AD being offline" are to that authenticator, not Confluence e.g. if AD is offline, will the SSO authenticator fail completely or let your through to the Confluence login page (where the local admin should work in this situation) In this kind of setup Apache is playing a "reverse proxy" and the location being proxied is configured to do something to perform SSO. You probably need to setup another location in Apache _without SSO_ proxying the same Confluence instance. Confluence may require a separate entry (and a separate port) in server.xml with correct proxy details.

Re: separate entry/separate port - I meant separate Connector element on a different port

All the SSO configuration is in tomcat. I have a apache proxy in front to have a better looking URL (no port 8090).

Hum could be a good idea, I did not think about multiple connectors in tomcat. I will try that

Where does SSO authenticator take headers from i.e. who actually authenticates the user?

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Oct 24, 2018 in Confluence

Atlassian Research opportunity with Confluence templates

Do you use templates with Confluence? Take part in a remote 1-hr workshop. You'll receive USD $100 for your time!   We're looking for people to participate in a   remote 1-hr workshop...

1,096 views 17 14
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you