Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How can I select what user directory to authenticate a new user against?

Johan Hallgren
Johan Hallgren January 8, 2013

In Confluence we have always used LDAP authentication, but used Confluence's internal groups for authorization. Due to organizational reasons, we have two LDAP directories defined; most users exist in one of those directories, the others in the other. When using OSUser.xsml in version 3.2, this setup worked fine: we had both directories defined in osuser.xml (along with the internal Confluence authenticator), and when a user was created in Confluence, they were not associated with any particular directory; they were sert up internally, and when logging in would be authenticated against the directories in turn. If the first LDAP directory did not have that user the second one would be tried, and would work.

However, after upgrading to Confluence 4.3.5, using multiple directories no longer works, since now each user appears to be associated with a particular directory (the first one in the directory order). This means that if a user that exists only in the second defined LDAP directory gets added, they cannot login, since their user profile assumes they belong to the first one. In looking at the user profile, it appears that the directory field is not editable.

Is there some alternative way to associate a user with a specific directory on creation or later, or is this a setup that only worked using OSUser?

Answer
Watch
Like Be the first to like this
295 views

2 answers

1 accepted

0 votes
Answer accepted
Johan Hallgren
Johan Hallgren January 13, 2013

I haven't been able to find any information about how to select in which directory a user gets created, so will have to conclude that at this time that we'll have to manually edit the database in case a user needs to be authenticated against the second configured LDAP directory. I would definitely be keen to see this changed in future versions; thankfully we have only a few users in the second directory, but of course we'd like to stay away from direct database edits in any event.

Reply
0 votes
RianA
RianA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 8, 2013

Hi Johan,

There might be some issue with configuration if that's the case. If there are two directory, Confluence will check on the first directory if that user exist, if he doesn't Confluence should look on the second directory, and so on based on the sequence. If the user can't log in, most probably the user exist on the first directory with different credential. Perhaps you could try to check with your LDAP administrator to see if the user exist on the first directory as well.

Hope it helps.

View More Comments
Johan Hallgren
Johan Hallgren January 8, 2013

Hi Rian,

Thanks for the insight! The users definitely only exists in one LDAP directory (both directories are AD and we use sAMAccountName as user name in one and userPrincipalName in the other; these fields are structured differently in the directories, so there is no overlap of users.

The issue seems to be that in 4.5.3 (or any version no longer using OSUser, it seems that each user gets associated with a specific directory. While when we upgraded to this version we directly updated the database to associate each user with the correct directory. However, when new users are created in Confluence, it appears that they get associated with the first directory by default (CWD_USER.DIRECTORY_ID for the user is that of the first directory), even though the user does not exist in that directory. There appears to be no way in the app of instead associating the user with the second directory when creating the user. If that association could be set or edited later then there would be no issue for us. Is there a way to do that that I am missing?

Thanks again,
Johan H

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events