How to enable anonymous access for all the LDAP users?

Pankaj Jangid
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
February 17, 2013

I have configured Confluence to use corp LDAP (directory). We have a 2000 user license but organization have ~5000 users. I have allowed all the users to login but only ~1500 users have global CAN USE permission.

Anonymous users have global CAN USE permission. So anyone can view pages without loging in. Now, because some of the users don't have explicit CAN USE permission, they can login but cannot view those pages which they can view without loging in.

I saw a similar question here -> https://answers.atlassian.com/questions/128306/i-have-a-50-user-license-for-confluence-and-have-200-users-in-my-active-directory-how-can-i-set-up-confluence-to-allow-50-named-users-with-login-access-to-confluence-and-the-remaining-users-view-only-access. But the solution requires modifications to LDAP directory itself.

Is there an alternative available where either non active users are not allowed to login, or non active users can be treated as anonymous?

2 answers

1 vote
Bruna Griebeler
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 18, 2013

Hi there!

The only thing I can think of is to make the users access another page (e.g. hosted by Apache) that will authenticate the users via kerberos or other tool. If the user matches with the LDAP user, then he'll be redirected to this page: (eg. http://localhost:8888/dashboard.action?os_username=anonymous&os_password=anonymous) then the user will be logged in directly as anonymous.

Hope it helps!

0 votes
Daniel Borcherding
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 19, 2013

Hello Jangid,

The solution proposed in the answers post you cite does not necessarily mean that you have to modify your LDAP. The important take away from the post you cite is that your population of privilidged users must be part of some group or groups that differentiate them from your non privilidged users. You can absolutely take advantage of existing groups within your LDAP to achieve the same affect. You will just need to make sure that the groups that you have provisioned your users in have the global "CAN USE" permission. So long as those users that do not need an explicit login are part of groups that do not have "CAN USE" permissions they will not count againt your license total. Below is a document on our global permissions overview and a document on enabling anonymous access.

https://confluence.atlassian.com/display/DOC/Global+Permissions+Overview

https://confluence.atlassian.com/display/DOC/Setting+Up+Public+Access

If it were my instance I would write a custom LDAP filter to only pull those people I wanted to set explicit access into confluence. I would try to exclude those groups that did not need access to confluence so as not to clutter my user managment area. Below is a document we have that details writing custom LDAP filters.

https://confluence.atlassian.com/display/DEV/How+to+write+LDAP+search+filters

Please let us know if you have any questions about this process or if any of the points I have made above are unclear.

Pankaj Jangid
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
February 21, 2013

Sorry for not clearly stating my problem. Here is a short summary.

I have given anonymous acces at global level and at space level. So users can view the page when they are not logged in. But they cannot see when they login. Because none of their groups have "CAN USE" permission.

Is there a way to either not allow non-licensed users to login, or treat non non-licensed users as anonymous? Without modifying LDAP.

LDAP filter is a good idea. But I thought there is a builtin way to grant anonymous permissions to all logged in users at least.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events