Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

confluence and ldap authentication

Alex Samad YB
Alex Samad YB March 8, 2012

Hi

I am planning for installing confluence and using a ldap db for my users. just wondering how confluence authenticates users, does it do a ldap bind with the relevant user and password ?

What my setup is going to look like is, I have AD (say abc.com). I was going to setup a linux box running openldap so that i could create none AD users (our customer in here, why I don't want to pay for 000s of CAL licenses and I believe the MS connector license is prohibative but not ruled out. ) so all the clientes were going to exist in external.abc.com

do my ldap would look like

dc=abc,dc=com

ou=external,dc=abc,dc=com

DN's for AD look something like CN=alex samad,ou=abc,dc=abc,dc=com

where as DN's for clients could be something like

CN=<emailaddress>,ou=external,dc=abc,dc=com

Am I going to be able to configure confluence to handle that ?

Thanks

Alex

Answer
Watch
Like Be the first to like this
1580 views

2 answers

0 votes
Andrew Frayling
Andrew Frayling
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 11, 2012

Hi Alex,

Yes, Confluence can use multiple LDAP sources so you can configure as many LDAP sources for users as you wish. Have a look at http://confluence.atlassian.com/display/DOC/Managing+Multiple+Directories for details.

Using email address to log in should be fine as you configure Confluence to tell it what LDAP attribute to use for username, first name, surname, etc. Have a look at the USer Scheme Settings section at http://confluence.atlassian.com/display/DOC/Connecting+to+an+LDAP+Directory for details of what LDAP attributes Confluence asks you to map.

For the last question, as far as I am aware, Confluence doesn't sync the LDAP password locally and test against the sync'ed copy, it tests against LDAP directly.

Does that help?

Andrew.

Reply
0 votes
Andrew Frayling
Andrew Frayling
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 8, 2012

Hi Alex,

For binding to LDAP Confluence can use either a single user or anonymous bind (if your LDAP is configured to allow anonymous bind) depending on whether you supply values for "Username" and "Password" in the LDAP config in Confluence.

If I'm understanding the second part of the question correctly, you only want Confluence to allow access for users in external.abc.com and not for users in abc.com? If that's the case then that's not a problem with Confluence as in the LDAP config you supply a base DN and Confluence will only look for users in that container and below, so if you set your base DN in Confluence to ou=external,dc=abc,dc=com then only users in that container and below will be able to log in.

For licensing in general a user counts against your Confluence license if they have the "Can Use" permission, so if you have 10,000 users in LDAP, but your Confluence LDAP is configured so that Confluence can only see 50 of them then that would be 50 against your license, not 10,000. Does that make sense?

For LDAP config have a look at http://confluence.atlassian.com/display/DOC/Connecting+to+an+LDAP+Directory

Hope that helps,

Andrew.

View More Comments
Alex Samad YB
Alex Samad YB March 11, 2012

Hi

Thanks, slight mis understanding.

I would like to allow users from

* internal - from our own AD server

* external - this was to be managed from openldap

I would like people to login as email address, So

alex.samad@abc.com (pretend abc.com is my ad domain) would translate into a ldap request to ldap.abc.com with ????

alex.asmad@xyc.co.uk (external client), would translate into a ldap request to ldap.abc.com

But to add more confustion (as i have read some documentation). It seems like I confluense can use multiple LDAP sources ? so I don't need to hid my AD ldap tree behind openldap !

The other question is how does confluence check userid password.

alex.samad@abc.com (internal user), the DN for this user is not alex.samad@abc.com, does confluence search for the this user and retrieve the password and test its self or does it find the user and then find its dn and then get ldap to test the password ?

Thanks

Alex

Like
Andrew Frayling
Andrew Frayling
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 11, 2012

Hi Alex,

Yes, Confluence can use multiple LDAP sources so you can configure as many LDAP sources for users as you wish. Have a look at http://confluence.atlassian.com/display/DOC/Managing+Multiple+Directories for details.

Using email address to log in should be fine as you configure Confluence to tell it what LDAP attribute to use for username, first name, surname, etc. Have a look at the USer Scheme Settings section at http://confluence.atlassian.com/display/DOC/Connecting+to+an+LDAP+Directory for details of what LDAP attributes Confluence asks you to map.

For the last question, as far as I am aware, Confluence doesn't sync the LDAP password locally and test against the sync'ed copy, it tests against LDAP directly.

Does that help?

Andrew.

Like
Alex Samad YB
Alex Samad YB March 12, 2012

Yep I think thats what I am after...

some more planning and a trial :)

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events