-
Suggestion
-
Resolution: Unresolved
-
None
-
7
-
35
-
NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.
I’m excited to let you know that the latest release of Crowd Data Center features the ability for you to delegate user admin management to space admins, with the ‘delegated group level admin’ feature.
For those of you who aren’t familiar with Crowd Data Center, it offers one place to manage your users, groups and directories and easily integrate your identity infrastructure across all self-hosted Atlassian products
I’m leaving this suggestion open, as I appreciate that this only provides a solution to those of you who currently have, or are considering investing in Crowd. However, to set expectations, this isn’t something we’re currently planning on working on within Confluence Server or Data Center.
Best
Jenny | Senior Product Manager, Confluence Server
Given the credentials and settings are all the same, in an ideal world, I would like to specify as
<host>host1|host2|host3</host>
Confluence could then try to connect to host1, failover to 2, failover to 3.
This is a single point of failure that would require a re-deployment to resolve, and could be avoided with this fix.
- is related to
-
- Closed
-
- Not Being Considered
-
- Not Being Considered
- relates to
-
- Closed
-
- Gathering Interest
- mentioned in
-
Page Loading...
-
-
-
-
-
-
-
-
-
[CONFSERVER-8867] Failover Support For LDAP
Hi everyone,
This is Richa Srivastava from the Confluence team. Thank you for your interest in this suggestion.
While we appreciate the significant interest in this ticket, unfortunately we can’t implement every great idea. We continue to review the most urgent needs of our customers, and at this time have to prioritise other areas of Confluence, which include some highly voted suggestions.
You can read more about how we prioritise what to implement here\.
To learn more about our recent investments in Confluence Data Center, please check our public roadmap\ and our dashboards containing recently resolved issues\, and current work and future plans\.
Kind regards,
Confluence Data Center
For anyone reading this, you can add the secondary Domain Controller to the database itself and failover works. I have this working in confluence 7.19.14. We use a Postgres database and the following command within psql works to update the value as desired:
SELECT attribute_value FROM cwd_directory_attribute
SET attribute_value = 'ldaps://dc1.domain.local:636 ldaps://dc2.domain.local:636'
WHERE attribute_name = 'ldap.url';
Edit: Make sure to either restart confluence or reboot the server. Do a test to see that its working (shutdown DC1 and test, shutdown DC2 and test, shutdown both and make sure it fails)
Edit2: For those looking to be a little more adventurous. Assuming (or not) that you have nginx as your proxy for confluence, you can setup ldap proxy so that confluence connects to itself at ldaps://localhost:636 and then that gets proxied to an upstream of DC1 or DC2 depending which server is up (this is built in to nginx).
Every time our dc gets in trouble I wish all the Atlassian tools had this feature :|
Or if the instance could be more tolerant when waiting for the dc to reply so that we can actually use the name rather than the ip address.
I know that Crowd has this feature, but to me it makes little sense to have-yet-another-product just for this.
Perhaps I can try to manually add the configuration to the db to see what happens.
Please Atlassian, add this feature to your server products (not juts the data center).
Thanks for your interest in this issue.
This request is considered a potential addition to our longer-term roadmap.
We'll typically review this request in about 12 months time, at which point we’ll consider whether we need to alter its status.
Cheers,
Confluence Product Management
It seems like the LDAP backend of Confluence already supports multiple servers.
Please see my response here: https://community.atlassian.com/t5/Jira-questions/Multiple-read-only-LDAP-user-directories/qaq-p/324128#M219840
As far as I can tell, only the UI needs to be adapted, and the ldapUrl field needs to be re-parsed correctly.
Entering multiple host names, separated by a space (and the protocol in front) will be be accepted and failover will actually work:
my-ldap-server-1:636 ldaps://my-ldap-server-2:636 ldaps://my-ldap-server-3
But when I open the LDAP server "Edit" page again, the following exception occurs:
Caused by: java.lang.NumberFormatException: For input string: "636 ldaps://my-ldap-server-2:636"
at java.lang.NumberFormatException.forInputString(Unknown Source)
at java.lang.Integer.parseInt(Unknown Source)
at java.lang.Integer.parseInt(Unknown Source)
at com.atlassian.crowd.embedded.admin.ldap.LdapDirectoryConfiguration.setLdapUrl(LdapDirectoryConfiguration.java:160)
Can you prioritise this issue please, Atlassian? It really looks like there isn't a lot that needs to be done here...
Sometimes I don't understand why such critical single point of failures like this still exist. It would be simple to enable support for several LDAP servers, so that each could be polled if the previous failed (the reason I logged this 9 years ago 
).
This could be patched to provide the feature, but customers would not want to rely on 3rd party patches.
You the customer could architect your environment to provide an agnostic entry point for LDAP with an F5 providing TCP fail-over between multiple DNS resolved hosts. For those without such hardware, even a simple software TCP proxy would resolve this, and was the solution I implemented oh so many years ago.
It would be awesome if Atlassian got their developers to tackle blindingly obvious product deficiencies like this during their code competitions, rather than to drive innovative development of new shiny things - even if they are very shiny!
This SHOULD be basic functionality not something we should even vote on to get implemented.