Confluence 4.0 / Windows Server 2008 / Microsoft Active Directory
We have a directory of over 5000 users. What we want is for a user to come to the Confluence application and be able to use it straight away without any administration involvement. So far we have tried Microsoft Active Directory with Read Only with Groups. "Sync fails" and while the user GUID appears correctly in the header the message they get is "Access not permitted" which means that they are not being added to a group. Why?
Tried "Delegated LDAP Integration" which seems to be a better option but still doesn't work. 
So while there is a great deal of documentation we are still a bit lost. 
1. Do we need to create 'confluence-user' as a group in Active Directory?
2. What is the best LDAP integration option given the requirement of how a user can access the site? 
3. What causes the sync to fail?
Any and all help is greatly appreciated.
This is found in the schema settings on the User Dirctories page. You want to set your Base DN as dc=yourcompany, dc=local. Additional User DN as ou=YourDifferentFolder, Additional Group DN as ou=YourSpecialGroup. A couple of other things I found were: Uncheck Follow Referrals under Advanced Settings for better performance. If you decide to create groups in AD, create them in AD, then synchronize, rather than creating them in Confluence. Any group created in Confluence is created as a Distribution Group rather than a Security Group.
Thanks that helped a bunch. So the only remaining bit is to know how to get Confluence to search a specified folder. For some reason it searched our USERS folder at the base of AD. I need it to search a different folder where the required group is. Ideas?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
For AD Integation as it works here I have done the following:
Set-up Confluence
Add AD as READ ONLY:
After that, NTLM is a nice thing to authenticate, but that is a different story.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Supposedly, Confluence is supposed to be able to create groups internally. I found that not to be true, unless a User Directory was created that has Read\Write capability.
If a group has been created in AD and LDAP has been synched with Confluence, users can log on to Confluence using their Windows logon/password.
Any group that was added to AD can be found in Confluence and users can then be added to the group.
In the end, I was forced to go into User Directories, create a "Corporate Directory" utilizing Microsoft AD (Read\Write). I am not happy with that at ALL because not Confluence has the ability to write back to LDAP.
If you delete a user in Confluence, the same user is deleted from AD - And here's some extra crazy-talk: If you add a user to a group in Confluence, the user is NOT added to the security group in AD.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
In LDAP SCHEMA Part of the directory configuration:
Fields: "Additional USER DN" and "Additional GROUP DN"
The connector searches the LDAP tree from BASE (you put that in the field "BASE DN").
If you want to limit the searches to only a part of the tree, fill in the Additional fields.
Remember:
{Additonal DN Field value}{BaseDN}
ou=exampletreegroup,dc=my,dc=company,dc=org
Means that BASE DN equals "dc=my,dc=company,dc=org" and
ADDITIONAL equals "ou=exampletreegroup"
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
 
 
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.