Restricting LDAP Scope for User and Group Search
While you should already know the user DN (Distinguished Name) you are using for your LDAP connection, it can be helpful to review the users and groups in Apache Directory Studio to determine the best scope for your Crowd LDAP directory configuration.
Crowd comes with default configurations that will work for most customers. In the examples below, we illustrate some common options for changing your user and group configurations.
There are a number of other attributes, not shown here, that can also be used to narrow the scope of users and groups.
Important Search Filter Notes
- If you are unfamiliar with LDAP search filter syntax, please review this guide.
- See Creating a Connection to your LDAP Directory for details of how to connect Apache Directory Studio to your LDAP directory.
- In order to use Object Filters larger than 255 characters, you will need to upgrade to Crowd to 1.5.1 or later, by installing a new Crowd instance (with a new database) and restoring an XML backup from your previous Crowd installation. For more information on upgrading Crowd please review the Upgrade Guide
- If you are using Nested Groups in Crowd, your group filter must include all sub-groups to pick up the sub-group members
Example 1. Using a User's DN for Crowd Configuration
- Find a user in the scope you wish to use for Crowd. Highlight that user in Apache Directory Studio.
Screenshot: User information in Apache Directory Studio
Using the information about the user dmcgahan, you can narrow down the users returned in the Crowd directory to those in cn=Users who are members of either the confluence-users or the confluence-administratorsgroup.
User Object Filter:
(&(objectCategory=Person)(sAMAccountName=*) (|(memberOf=cn=confluence-users,ou=Groups,dc=sydney,dc=atlassian,dc=com) (memberOf=cn=confluence-administrators,ou=Groups,dc=sydney,dc=atlassian,dc=com)))
Screenshot: The resulting user configuration in Crowd
Example 2: Using a Group's DN for Crowd Configuration
- Find a group in the scope you wish to use for Crowd. Highlight that group in Apache Directory Studio.
Screenshot: Group information in Apache Directory Studio
Using the information about the group confluence-users, you can narrow down the groups returned in the Crowd directory to those in ou=Groups and return only the confluence-users or the confluence-administratorsgroup. Under most circumstances, it is best to apply any changes to both group and role configuration for consistency.
Group Object Filter:
Screenshot: The resulting group/role configuration in Crowd