User Authentication
Internal Users
Internal Groups
LDAP Users
LDAP Groups
LDAP Without Groups
LDAP With Groups
There are two kinds of Confluence/LDAP integration available:
User Authentication |
Internal Users |
Internal Groups |
LDAP Users |
LDAP Groups |
|---|---|---|---|---|
LDAP Without Groups |
|
|
|
|
LDAP With Groups |
|
|
|
|
This guide covers LDAP without groups, where if a username exists in both Confluence and LDAP, they use their LDAP password to login. You still maintain users from Confluence and use internal Confluence groups for group permissions.
Alternatively, you may use LDAP with Groups to have users and groups automatically updated from LDAP, and use LDAP groups for group permissions.
Applies For
Important Points
confluence/WEB-INF/classes.CAUTION: Make sure that when you first set up Confluence, you make no changes to the default osuser.xml. Once Confluence is up and running, you can then apply the changes described here to enable LDAP integration.
In the osuser.xml file, the CredentialsProviders are responsible for authenticating passwords. The default CachingCredentialsProvider looks in the Confluence database. To enable LDAP aunthentication, you will need to add a LDAPCredentialsProvider, so that LDAP users can also be authenticated:
Here's what the default osuser.xml contains:
<provider class="bucket.user.providers.CachingCredentialsProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateCredentialsProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingAccessProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateAccessProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingProfileProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateProfileProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> |
For Confluence version 2.1 and later:
<provider class="com.atlassian.confluence.user.ConfluenceLDAPCredentialsProvider"> <property name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</property> <property name="java.naming.provider.url">ldap://localhost:389</property> <property name="searchBase">dc=atlassian,dc=com</property> <property name="uidSearchName">cn</property> <!-- <property name="java.naming.security.principal">cn=Manager,dc=atlassian,dc=com</property> <property name="java.naming.security.credentials">secret</property> <property name="exclusive-access">true</property> --> </provider> <provider class="bucket.user.providers.CachingCredentialsProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateCredentialsProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingAccessProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateAccessProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingProfileProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateProfileProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> |
For older verisons of Confluence
<provider class="com.opensymphony.user.provider.ldap.LDAPCredentialsProvider"> <property name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</property> <property name="java.naming.provider.url">ldap://localhost:389</property> <property name="searchBase">dc=atlassian,dc=com</property> <property name="uidSearchName">cn</property> <!-- <property name="java.naming.security.principal">cn=Manager,dc=atlassian,dc=com</property> <property name="java.naming.security.credentials">secret</property> <property name="exclusive-access">true</property> --> </provider> <provider class="bucket.user.providers.CachingCredentialsProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateCredentialsProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingAccessProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateAccessProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> <provider class="bucket.user.providers.CachingProfileProvider"> <property name="chain.classname">com.opensymphony.user.provider.hibernate.HibernateProfileProvider</property> <property name="chain.configuration.provider.class">bucket.user.BucketHibernateConfigProvider</property> </provider> |
The Credentials (password) checking is a separate operation from user-profile lookups. The profile can be loaded from the Confluence database, but the password is looked up from LDAP. Furthermore, multiple credentials providers can be specified (here, LDAP and OSUser), and if one fails, the other will be used. This allows non-LDAP users to log in with their Confluence password.
