Just a heads up: On March 24, 2025, starting at 4:30pm CDT / 21:30 UTC, the site will be undergoing scheduled maintenance for a few hours. During this time, the site might be unavailable for a short while. Thanks for your patience.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Confluence - LDAP integration doing my head in :)

Richard Scorgie
Richard Scorgie November 15, 2011

Confluence 4.0 / Windows Server 2008 / Microsoft Active Directory

We have a directory of over 5000 users. What we want is for a user to come to the Confluence application and be able to use it straight away without any administration involvement. So far we have tried Microsoft Active Directory with Read Only with Groups. "Sync fails" and while the user GUID appears correctly in the header the message they get is "Access not permitted" which means that they are not being added to a group. Why?

Tried "Delegated LDAP Integration" which seems to be a better option but still doesn't work.

So while there is a great deal of documentation we are still a bit lost.

1. Do we need to create 'confluence-user' as a group in Active Directory?

2. What is the best LDAP integration option given the requirement of how a user can access the site?

3. What causes the sync to fail?

Any and all help is greatly appreciated.

Answer
Watch
Like Be the first to like this
508 views

4 answers

1 accepted

0 votes
Answer accepted
Scott Morrow
Scott Morrow
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 17, 2011

This is found in the schema settings on the User Dirctories page. You want to set your Base DN as dc=yourcompany, dc=local. Additional User DN as ou=YourDifferentFolder, Additional Group DN as ou=YourSpecialGroup. A couple of other things I found were: Uncheck Follow Referrals under Advanced Settings for better performance. If you decide to create groups in AD, create them in AD, then synchronize, rather than creating them in Confluence. Any group created in Confluence is created as a Distribution Group rather than a Security Group.

Reply
0 votes
Richard Scorgie
Richard Scorgie November 17, 2011

Thanks that helped a bunch. So the only remaining bit is to know how to get Confluence to search a specified folder. For some reason it searched our USERS folder at the base of AD. I need it to search a different folder where the required group is. Ideas?

Reply
0 votes
Manse Wolken
Manse Wolken
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 16, 2011

For AD Integation as it works here I have done the following:

Set-up Confluence

Add AD as READ ONLY:

  • Make sure you have a bind user which has read permissions on User objects and group objects
  • Tell Confluence where to search for users. You don't want service user accounts to be able to see the wiki right?
  • Tell Confluence where to search group information.
  • In Confluence Global Options: Add the AD Group to the "View" Permissions, in which all your users are.

After that, NTLM is a nice thing to authenticate, but that is a different story.

Reply
0 votes
Matt Voight1
Matt Voight
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 15, 2011

Supposedly, Confluence is supposed to be able to create groups internally. I found that not to be true, unless a User Directory was created that has Read\Write capability.

If a group has been created in AD and LDAP has been synched with Confluence, users can log on to Confluence using their Windows logon/password.

Any group that was added to AD can be found in Confluence and users can then be added to the group.

In the end, I was forced to go into User Directories, create a "Corporate Directory" utilizing Microsoft AD (Read\Write). I am not happy with that at ALL because not Confluence has the ability to write back to LDAP.

If you delete a user in Confluence, the same user is deleted from AD - And here's some extra crazy-talk: If you add a user to a group in Confluence, the user is NOT added to the security group in AD.

View More Comments
Manse Wolken
Manse Wolken
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 17, 2011

In LDAP SCHEMA Part of the directory configuration:

Fields: "Additional USER DN" and "Additional GROUP DN"

The connector searches the LDAP tree from BASE (you put that in the field "BASE DN").

If you want to limit the searches to only a part of the tree, fill in the Additional fields.

Remember:

{Additonal DN Field value}{BaseDN}

ou=exampletreegroup,dc=my,dc=company,dc=org

Means that BASE DN equals "dc=my,dc=company,dc=org" and

ADDITIONAL equals "ou=exampletreegroup"

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events