The LDAP server connection is specified by manually editing the file atlassian-user.xml. Confluence 2.3 onwards supports multiple LDAP servers by repeating the instructions below for each server so that there are multiple repositories defined.

Stage 1 - Configure Connection Details

  1. Edit the file .../confluence/WEB-INF/classes/atlassian-user.xml and configure the connection for either AD or LDAP.
  2. If your Active Directory Server allows anonymous searches, then you do not need to specify a securityPrincipal and securtyCredential at all. For an example of how you would configure Confluence to allow anonymous authentication, see Enable Anonymous Authentication in LDAP or Active Directory

  3. To connect to LDAP over SSL, see Connect to LDAP via SSL

  4. Check your configuration against the example connection details shown below. 
    <ldap key="ldapRepository" name="LDAP Repository@hecate.atlassian.com" cache="true">
    <host>hecate.atlassian.com</host>
    <port>389</port>
    <securityPrincipal>cn=admin,dc=atlassian,dc=private</securityPrincipal>
    <securityCredential>secret</securityCredential>
    <securityProtocol>plain</securityProtocol>
    <securityAuthentication>simple</securityAuthentication>
    <baseContext>dc=atlassian,dc=private</baseContext>

....

Stage 2 - Map LDAP Data Tree

  1. Configuring the mappings in atlassian-user.xml for either AD or LDAP.
  2. Check your configuration against the example connection details shown below. 
    ...

    <baseUserNamespace>dc=staff,dc=perftest,dc=atlassian,dc=private</baseUserNamespace>
    <baseGroupNamespace>dc=groups,dc=perftest,dc=atlassian,dc=private</baseGroupNamespace>
    <usernameAttribute>cn</usernameAttribute>
    <userSearchFilter>(objectClass=inetorgperson)</userSearchFilter>
    <firstnameAttribute>givenname</firstnameAttribute>
    <surnameAttribute>sn</surnameAttribute>
    <emailAttribute>mail</emailAttribute>
    <groupnameAttribute>cn</groupnameAttribute>
    <groupSearchFilter>(objectClass=groupOfNames)</groupSearchFilter>
    <membershipAttribute>member</membershipAttribute>
</ldap>

Stage 3 - Directory Search Depth Settings

These are the default settings:

...
<userSearchAllDepths>false</userSearchAllDepths>
<groupSearchAllDepths>false</groupSearchAllDepths>

The above settings configure the search depth on users and groups. If you set either attribute to:

  • false - Confluence will search only for users/groups directly defined in <baseUserNamespace> and <baseGroupNamespace>.
  • true - Confluence will search for users/groups defined in the above namespaces and also in namespaces nested within them. For example, if your users are distributed across multiple namespaces, you should set this option to true.

(info) Setting the value to true may have a high cost in performance for large directories, because Confluence will search the whole tree and not just the immediate namespace.

Stage 4 - Optional LDAP Settings

The following settings do not appear in the default atlassian-user.xml file:

<poolingOn>true</poolingOn>
<maxSize>0</maxSize>
<initSize>10</initSize>
<prefSize>10</prefSize>
<debugLevel>none</debugLevel>
<securityProtocol>plain ssl</securityProtocol>
<authentication>simple</authentication>
<timeout>0</timeout>
<initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory>
<batchSize>100</batchSize>
<timeToLive>0</timeToLive>

However, if you want to override the default values listed above, you can add the value onto the end like so:

...
    <groupnameAttribute>cn</groupnameAttribute>
    <groupSearchFilter>(objectClass=groupOfNames)</groupSearchFilter>
    <membershipAttribute>member</membershipAttribute>
    <initSize>20</initSize>
</ldap>

It is important that the connection pool timeout value be set to 0, as this will force Atlassian User (via the JNDI layer) to clean up lingering connections that have lived past one request. More information about LDAP pools here.

Stage 5 - Configure LDAP for User Authentication only

説明

There are two kinds of Confluence/LDAP integration available:

User Authentication

Internal Users

Internal Groups

LDAP Users

LDAP Groups

LDAP Without Groups

(tick)

(tick)

(tick)

(error)

LDAP With Groups

(tick)

(tick)

(tick)

(tick)

This section covers LDAP without groups, where if a username exists in both Confluence and LDAP, they use their LDAP password to login. You still maintain users from Confluence and use internal Confluence groups for group permissions.

Alternatively, you may use LDAP with Groups to have users and groups automatically updated from LDAP, and use LDAP groups for group permissions.

Applies For

  • Enabling LDAP for the first time
  • Upgrading existing LDAP without enabling group management

Important Points

  • Only the password lookup is done against LDAP and only if the Confluence username coincides with the LDAP username. Users and user profiles are still managed in Confluence. See technical explanation below.
  • Each LDAP user in Confluence must be added to an internal Confluence group having Can Use permissions in order for those LDAP users to access Confluence.If a password is created for an LDAP user in Confluence,it will be ignored as the LDAP password will override it.
  • User management in Confluence 2.0 and earlier is handled by OSUser. OSUser is configured through the osuser.xml file located in confluence/WEB-INF/classes.

手順

If you do not wish Confluence to retrieve any of your LDAP groups and display them inside Confluence then you can do this by specifying a dummy value for the groupSearchFilter filter in your atlassian-user.xml file. That is update your atlassian-user.xml file with the following:

<groupSearchFilter>(objectClass=dummyValue)</groupSearchFilter>

An example atlassian-user.xml file:

<baseUserNamespace>cn=users,dc=ad,dc=atlassian,dc=com</baseUserNamespace>
<baseGroupNamespace>ou=groups,dc=ad,dc=atlassian,dc=com</baseGroupNamespace>
<usernameAttribute>sAMAccountName</usernameAttribute>
<userSearchFilter>(objectClass=user)</userSearchFilter>
<firstnameAttribute>givenname</firstnameAttribute>
<surnameAttribute>sn</surnameAttribute>
<emailAttribute>mail</emailAttribute>
<groupnameAttribute>cn</groupnameAttribute>
<groupSearchFilter>(objectClass=dummyValue)</groupSearchFilter>
<membershipAttribute>member</membershipAttribute>
<userSearchAllDepths>false</userSearchAllDepths>
<groupSearchAllDepths>false</groupSearchAllDepths>

Please note: You will still have to provide a valid LDAP DN for baseGroupNamespace. You could use the base DN for example.

Configuring multiple LDAP repositories

For some LDAP servers, it might be necessary to configure Confluence to connect to multiple LDAP servers. This functionality is available in Confluence 2.3 and above, and has a separate guide: Configuring multiple LDAP repositories.

関連ページ

Add LDAP Integration
Configuring multiple LDAP repositories

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.