Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Can confluence use windows authentication when connecting to Active Directory

Martin Jæger
Martin Jæger March 19, 2014

When i create an AD user directory, i see the password of that user, in clear text, in the database.
Not cool. That would definetly not get approved, by the security team in my company.

I would like the AD lookup, to use windows authentication. I have already setup the confluence service to run as a domain account.

Can i somehow tell confluence. to use that security context for LDAP queries against my Active Directory?

Answer
Watch
Like Be the first to like this
785 views

1 answer

0 votes
Tiago Comasseto
Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 19, 2014

Hi Martin,

I really thing that some confusing may have happened as Confluence doesn't store LDAP passwords in plain text in the database.

Also, as for Integrated Windows Authentication, it can be done in two different ways for Confluence:

Cheers

View More Comments
Martin Jæger
Martin Jæger March 20, 2014

Hi Tiago,

Thanks commenting.
Let me try to clarify.

When creating a LDAP user directory, i provide a username and password, that will be used when fetching users and groups. That password provided here, is saved to the database in clear text.

It is being saved to the table: [cwd_directory_attribute] with attributename as [ldap.password], and the password as value.

That is my concern.

It may be a solution to create a domain-account that has that single purpose, to read from AD, and then "live with" that it's password is revealed in the DB.

Another solution would be to use anonymous lookup, and configure the AD to allow anonymous access from the confluence servers specific IP address. Can that be configured in Confluence? (to use anonymous LDAP access)

Cheers!

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 20, 2014

A third option on the authentication-in-windows thing - you might want to look at http://www.adaptavist.com/w/products-plugins/enterprise-products/adaptavist-umbrella/ (As well as "log into Windows and you're in Confluence too", it does SAML and some other stuff people ask for here)

And yes, this is a bit of a blatant plug, so I should say that I work for Adaptavist at the moment. I've not been involved in the development of it, it was there before I was, but I can vouch for the really good people who did write it.

Like
Davin Studer
Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 20, 2014

It is not in clear text in our installation. Sound like you've got a weird setup to me.

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 20, 2014

Yes, I should have said that too - the couple of AD connected Confluences I've dipped into today are definitely not storying plaintext passwords.

Like
Martin Jæger
Martin Jæger March 20, 2014

Wow. That is really weird! What kind of database are you guys using. I'm wondering if "MS SQL Server" is not supporting some special "password-field" used in other types of databases, making it save the password in clear-text?

https://answers.atlassian.com/questions/266580/crowd-stores-ldap-directory-password-as-plaintext-in-backup-file

The link above, is not the exact problem, but i think it relates very well.

If you have access to the confluence database, then try running this query and see what you get:

SELECT [directory_id],[attribute_value],[attribute_name] FROM <DatabaseName>.[dbo].[cwd_directory_attribute] WHERE attribute_name = 'ldap.password'

Update: Just tested on PostgreSQL. Same issue here. Ldap password is stored in clear text.

Like
Tiago Comasseto
Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 20, 2014

Hi Martin, same to me on MSSQL, the passwords are not in clear text. May I know what's your Confluence version?

Cheers

Like
Martin Jæger
Martin Jæger March 20, 2014

Hi Tiago. Sure, the version i'm running is 5.4.3 (64-bit).

Verified the same behavior on v. 5.0.1 and 4.3.5 (all 64-bit).

Tiago, have you tried running the SQL i provided? I would be very suprised if you see a "scrambled" password. If you do, i would like to know which version you are seeing it on :)

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events