I have configured Confluence to use corp LDAP (directory). We have a 2000 user license but organization have ~5000 users. I have allowed all the users to login but only ~1500 users have global CAN USE permission.
Anonymous users have global CAN USE permission. So anyone can view pages without loging in. Now, because some of the users don't have explicit CAN USE permission, they can login but cannot view those pages which they can view without loging in.
I saw a similar question here -> https://answers.atlassian.com/questions/128306/i-have-a-50-user-license-for-confluence-and-have-200-users-in-my-active-directory-how-can-i-set-up-confluence-to-allow-50-named-users-with-login-access-to-confluence-and-the-remaining-users-view-only-access. But the solution requires modifications to LDAP directory itself.
Is there an alternative available where either non active users are not allowed to login, or non active users can be treated as anonymous?
The only thing I can think of is to make the users access another page (e.g. hosted by Apache) that will authenticate the users via kerberos or other tool. If the user matches with the LDAP user, then he'll be redirected to this page: (eg. http://localhost:8888/dashboard.action?os_username=anonymous&os_password=anonymous) then the user will be logged in directly as anonymous.
Hope it helps!
The solution proposed in the answers post you cite does not necessarily mean that you have to modify your LDAP. The important take away from the post you cite is that your population of privilidged users must be part of some group or groups that differentiate them from your non privilidged users. You can absolutely take advantage of existing groups within your LDAP to achieve the same affect. You will just need to make sure that the groups that you have provisioned your users in have the global "CAN USE" permission. So long as those users that do not need an explicit login are part of groups that do not have "CAN USE" permissions they will not count againt your license total. Below is a document on our global permissions overview and a document on enabling anonymous access.
If it were my instance I would write a custom LDAP filter to only pull those people I wanted to set explicit access into confluence. I would try to exclude those groups that did not need access to confluence so as not to clutter my user managment area. Below is a document we have that details writing custom LDAP filters.
Please let us know if you have any questions about this process or if any of the points I have made above are unclear.
Sorry for not clearly stating my problem. Here is a short summary.
I have given anonymous acces at global level and at space level. So users can view the page when they are not logged in. But they cannot see when they login. Because none of their groups have "CAN USE" permission.
Is there a way to either not allow non-licensed users to login, or treat non non-licensed users as anonymous? Without modifying LDAP.
LDAP filter is a good idea. But I thought there is a builtin way to grant anonymous permissions to all logged in users at least.
Hello Community, Jessica here from the Confluence product marketing team! Today I wanted to get your takes on project planning –– what works, what doesn’t, how do you know if you’re doing it r...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs