The LDAP server connection is specified by manually editing the file atlassian-user.xml. Confluence 2.3 onwards supports multiple LDAP servers by repeating the instructions below for each server so that there are multiple repositories defined.

Stage 1 - Determine if you are migrating from os_user or atlassian_user

Check your current .../confluence/WEB-INF/classes/atlassian-user.xml file. If your os user tag is active, you're using os user in some fashion. Make sure to run the user migration after doing your LDAP details, as described in Migrating to new User Management.

Stage 2 - Configure Connection Details

To make life easier, use Paddle and Apache Directory Studio to test your LDAP connections without restarting Confluence.

  1. Edit the file .../confluence/WEB-INF/classes/atlassian-user.xml and configure the connection for either AD or LDAP.
  2. If your Active Directory Server allows anonymous searches, then you do not need to specify a securityPrincipal and securityCredential at all. For an example of how you would configure Confluence to allow anonymous authentication, see Enable Anonymous Authentication in LDAP or Active Directory

  3. To connect to LDAP over SSL, see Connect to LDAP via SSL

  4. Check your configuration against the example connection details shown below. 
    <ldap key="ldapRepository" name="LDAP Repository@hecate.atlassian.com" cache="true">
    <host>hecate.atlassian.com</host>
    <port>389</port>
    <securityPrincipal>cn=admin,dc=atlassian,dc=private</securityPrincipal>
    <securityCredential>secret</securityCredential>
    <securityProtocol>plain</securityProtocol>
    <securityAuthentication>simple</securityAuthentication>
    <baseContext>dc=atlassian,dc=private</baseContext>

....

Stage 3 - Map LDAP Data Tree

  1. Configuring the mappings in atlassian-user.xml for either AD or LDAP.
  2. Check your configuration against the example connection details shown below. 
    ...

    <baseUserNamespace>dc=staff,dc=perftest,dc=atlassian,dc=private</baseUserNamespace>
    <baseGroupNamespace>dc=groups,dc=perftest,dc=atlassian,dc=private</baseGroupNamespace>
    <usernameAttribute>cn</usernameAttribute>
    <userSearchFilter>(objectClass=inetorgperson)</userSearchFilter>
    <firstnameAttribute>givenname</firstnameAttribute>
    <surnameAttribute>sn</surnameAttribute>
    <emailAttribute>mail</emailAttribute>
    <groupnameAttribute>cn</groupnameAttribute>
    <groupSearchFilter>(objectClass=groupOfNames)</groupSearchFilter>
    <membershipAttribute>member</membershipAttribute>
</ldap>

Stage 4 - Directory Search Depth Settings

These are the default settings:

...
<userSearchAllDepths>false</userSearchAllDepths>
<groupSearchAllDepths>false</groupSearchAllDepths>

The above settings configure the search depth on users and groups. If you set either attribute to:

(info) Setting the value to true may have a high cost in performance for large directories, because Confluence will search the whole tree and not just the immediate namespace.

Stage 5 - Optional LDAP Settings

The following settings are the default values for all the options under <ldap> in the atlassian-user.xml file. Some of them do not appear in the file normally, but can be added if you need to customise them:

To override the default values listed above, you can add the value inside your <ldap> tag after the rest of your configuration:

<ldap ...>
...
    <groupnameAttribute>cn</groupnameAttribute>
    <groupSearchFilter>(objectClass=groupOfNames)</groupSearchFilter>
    <membershipAttribute>member</membershipAttribute>
    <initSize>20</initSize>      <!-- bigger initial connection pool! -->
</ldap>

Stage 6 - Optional: Configure LDAP for User Authentication Only

説明

If you'd like to configure LDAP for user management and authentication only, start by configuring LDAP integration with groups, and continue to this point to remove group management.

Applies For

Important Points

手順

If you do not wish Confluence to retrieve any of your LDAP groups and display them inside Confluence then you can do this by specifying a dummy value for the groupSearchFilter filter in your atlassian-user.xml file. That is, update your atlassian-user.xml file with the following:

<groupSearchFilter>(objectClass=dummyValue)</groupSearchFilter>

An example atlassian-user.xml file:

<baseUserNamespace>cn=users,dc=ad,dc=atlassian,dc=com</baseUserNamespace>
<baseGroupNamespace>ou=groups,dc=ad,dc=atlassian,dc=com</baseGroupNamespace>
<usernameAttribute>sAMAccountName</usernameAttribute>
<userSearchFilter>(objectClass=user)</userSearchFilter>
<firstnameAttribute>givenname</firstnameAttribute>
<surnameAttribute>sn</surnameAttribute>
<emailAttribute>mail</emailAttribute>
<groupnameAttribute>cn</groupnameAttribute>
<groupSearchFilter>(objectClass=dummyValue)</groupSearchFilter>
<membershipAttribute>member</membershipAttribute>
<userSearchAllDepths>false</userSearchAllDepths>
<groupSearchAllDepths>false</groupSearchAllDepths>

Please note: You will still have to provide a valid LDAP DN for baseGroupNamespace. Confluence still performs a search for groups quite frequently, so you should use a DN without many child nodes, like an individual user DN.

Optional: Configuring Multiple LDAP Repositories

For some LDAP servers, it might be necessary to configure Confluence to connect to multiple LDAP servers. This functionality is available in Confluence 2.3 and above, and has a separate guide: Configuring multiple LDAP repositories.

関連トピック

Add LDAP Integration
Configuring multiple LDAP repositories
atlassian-user.xml reference
How to write a LDAP search filter, in the Atlassian Development space.