Confluence - LDAP integration doing my head in :)

Confluence 4.0 / Windows Server 2008 / Microsoft Active Directory

We have a directory of over 5000 users. What we want is for a user to come to the Confluence application and be able to use it straight away without any administration involvement. So far we have tried Microsoft Active Directory with Read Only with Groups. "Sync fails" and while the user GUID appears correctly in the header the message they get is "Access not permitted" which means that they are not being added to a group. Why?

Tried "Delegated LDAP Integration" which seems to be a better option but still doesn't work.

So while there is a great deal of documentation we are still a bit lost.

1. Do we need to create 'confluence-user' as a group in Active Directory?

2. What is the best LDAP integration option given the requirement of how a user can access the site?

3. What causes the sync to fail?

Any and all help is greatly appreciated.

4 answers

1 accepted

This is found in the schema settings on the User Dirctories page. You want to set your Base DN as dc=yourcompany, dc=local. Additional User DN as ou=YourDifferentFolder, Additional Group DN as ou=YourSpecialGroup. A couple of other things I found were: Uncheck Follow Referrals under Advanced Settings for better performance. If you decide to create groups in AD, create them in AD, then synchronize, rather than creating them in Confluence. Any group created in Confluence is created as a Distribution Group rather than a Security Group.

Supposedly, Confluence is supposed to be able to create groups internally. I found that not to be true, unless a User Directory was created that has Read\Write capability.

If a group has been created in AD and LDAP has been synched with Confluence, users can log on to Confluence using their Windows logon/password.

Any group that was added to AD can be found in Confluence and users can then be added to the group.

In the end, I was forced to go into User Directories, create a "Corporate Directory" utilizing Microsoft AD (Read\Write). I am not happy with that at ALL because not Confluence has the ability to write back to LDAP.

If you delete a user in Confluence, the same user is deleted from AD - And here's some extra crazy-talk: If you add a user to a group in Confluence, the user is NOT added to the security group in AD.

In LDAP SCHEMA Part of the directory configuration:

Fields: "Additional USER DN" and "Additional GROUP DN"

The connector searches the LDAP tree from BASE (you put that in the field "BASE DN").

If you want to limit the searches to only a part of the tree, fill in the Additional fields.

Remember:

{Additonal DN Field value}{BaseDN}

ou=exampletreegroup,dc=my,dc=company,dc=org

Means that BASE DN equals "dc=my,dc=company,dc=org" and

ADDITIONAL equals "ou=exampletreegroup"

For AD Integation as it works here I have done the following:

Set-up Confluence

Add AD as READ ONLY:

  • Make sure you have a bind user which has read permissions on User objects and group objects
  • Tell Confluence where to search for users. You don't want service user accounts to be able to see the wiki right?
  • Tell Confluence where to search group information.
  • In Confluence Global Options: Add the AD Group to the "View" Permissions, in which all your users are.

After that, NTLM is a nice thing to authenticate, but that is a different story.

Thanks that helped a bunch. So the only remaining bit is to know how to get Confluence to search a specified folder. For some reason it searched our USERS folder at the base of AD. I need it to search a different folder where the required group is. Ideas?

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Tuesday in Confluence

We want to see the templates you've created in Confluence!

Hi Community, Jessica here from the Confluence Product Marketing team!  July’s community challenge is all about sharing pictures  — and as an extension of our first post on what ...

407 views 17 9
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you