confluence and ldap authentication

Hi

I am planning for installing confluence and using a ldap db for my users. just wondering how confluence authenticates users, does it do a ldap bind with the relevant user and password ?

What my setup is going to look like is, I have AD (say abc.com). I was going to setup a linux box running openldap so that i could create none AD users (our customer in here, why I don't want to pay for 000s of CAL licenses and I believe the MS connector license is prohibative but not ruled out. ) so all the clientes were going to exist in external.abc.com

do my ldap would look like

dc=abc,dc=com

ou=external,dc=abc,dc=com

DN's for AD look something like CN=alex samad,ou=abc,dc=abc,dc=com

where as DN's for clients could be something like

CN=<emailaddress>,ou=external,dc=abc,dc=com

Am I going to be able to configure confluence to handle that ?

Thanks

Alex

2 answers

Hi Alex,

For binding to LDAP Confluence can use either a single user or anonymous bind (if your LDAP is configured to allow anonymous bind) depending on whether you supply values for "Username" and "Password" in the LDAP config in Confluence.

If I'm understanding the second part of the question correctly, you only want Confluence to allow access for users in external.abc.com and not for users in abc.com? If that's the case then that's not a problem with Confluence as in the LDAP config you supply a base DN and Confluence will only look for users in that container and below, so if you set your base DN in Confluence to ou=external,dc=abc,dc=com then only users in that container and below will be able to log in.

For licensing in general a user counts against your Confluence license if they have the "Can Use" permission, so if you have 10,000 users in LDAP, but your Confluence LDAP is configured so that Confluence can only see 50 of them then that would be 50 against your license, not 10,000. Does that make sense?

For LDAP config have a look at http://confluence.atlassian.com/display/DOC/Connecting+to+an+LDAP+Directory

Hope that helps,

Andrew.

Hi

Thanks, slight mis understanding.

I would like to allow users from

* internal - from our own AD server

* external - this was to be managed from openldap

I would like people to login as email address, So

alex.samad@abc.com (pretend abc.com is my ad domain) would translate into a ldap request to ldap.abc.com with ????

alex.asmad@xyc.co.uk (external client), would translate into a ldap request to ldap.abc.com

But to add more confustion (as i have read some documentation). It seems like I confluense can use multiple LDAP sources ? so I don't need to hid my AD ldap tree behind openldap !

The other question is how does confluence check userid password.

alex.samad@abc.com (internal user), the DN for this user is not alex.samad@abc.com, does confluence search for the this user and retrieve the password and test its self or does it find the user and then find its dn and then get ldap to test the password ?

Thanks

Alex

Hi Alex,

Yes, Confluence can use multiple LDAP sources so you can configure as many LDAP sources for users as you wish. Have a look at http://confluence.atlassian.com/display/DOC/Managing+Multiple+Directories for details.

Using email address to log in should be fine as you configure Confluence to tell it what LDAP attribute to use for username, first name, surname, etc. Have a look at the USer Scheme Settings section at http://confluence.atlassian.com/display/DOC/Connecting+to+an+LDAP+Directory for details of what LDAP attributes Confluence asks you to map.

For the last question, as far as I am aware, Confluence doesn't sync the LDAP password locally and test against the sync'ed copy, it tests against LDAP directly.

Does that help?

Andrew.

Yep I think thats what I am after...

some more planning and a trial :)

Hi Alex,

Yes, Confluence can use multiple LDAP sources so you can configure as many LDAP sources for users as you wish. Have a look at http://confluence.atlassian.com/display/DOC/Managing+Multiple+Directories for details.

Using email address to log in should be fine as you configure Confluence to tell it what LDAP attribute to use for username, first name, surname, etc. Have a look at the USer Scheme Settings section at http://confluence.atlassian.com/display/DOC/Connecting+to+an+LDAP+Directory for details of what LDAP attributes Confluence asks you to map.

For the last question, as far as I am aware, Confluence doesn't sync the LDAP password locally and test against the sync'ed copy, it tests against LDAP directly.

Does that help?

Andrew.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Jul 10, 2018 in Confluence

We want to see the templates you've created in Confluence!

Hi Community, Jessica here from the Confluence Product Marketing team!  July’s community challenge is all about sharing pictures  — and as an extension of our first post on what ...

849 views 23 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you