Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-21855

AD/Crowd authenticated administrators using Confluence-controlled password (not the AD one)

XMLWordPrintable

      We have a new instance, with data restored from a Confluence 2.10 instance. We integrated Crowd authenticated based on AD user groups.
      We have an AD group called crowd-confluence-administrators (so named to differentiate it in Confluence from the restored legacy confluence-administrators group), which I can see in Crowd and in Confluence. In confluence this is the only group in Global permissions with System Admin and Confluence Admin rights.
      We have logging into Confluence working for our users with their AD password, so I know we have at least some part of the Crowd authentication right.
      When those users in the crowd-confluence-administrators group click on Browse, Confluence Admin, they are prompted for a password again. I see this as an extra security measure, and I'm not logging that as a problem.
      What happens at this stage however is that their AD password is not accepted. They must enter their old Confluence user password to get admin access. When their AD password changes, the password they use to get admin rights does not - it's just not looking to Crowd/AD for the password at that point. Why not? Is this a bug or a config issue?

        1. confluence_support_2011-02-22-11-19-24.zip
          810 kB

            [CONFSERVER-21855] AD/Crowd authenticated administrators using Confluence-controlled password (not the AD one)

            Matt Ryall added a comment -

            Fixed in Confluence 3.5 for Crowd without SSO, as part of CONF-20958.

            However, if you have Crowd configured with SSO, this is a duplicate of CONF-22421, which is still outstanding. Please watch that issue for updates.

            Matt Ryall added a comment - Fixed in Confluence 3.5 for Crowd without SSO, as part of CONF-20958 . However, if you have Crowd configured with SSO, this is a duplicate of CONF-22421 , which is still outstanding. Please watch that issue for updates.

            Dave Furlani added a comment -

            It's a work around I can implement, although I would prefer a fix to the problem. I do like the added benefit for the admins, raising awareness that they are entering a higher level of permission that having to re-enter their password gives them (and the ability to drop admin access and return to being a normal user too).

            I think the websudo link you meant was http://confluence.atlassian.com/display/DOC/Configuring+Secure+Administrator+Sessions Although your link did point me in the right direction.

            Please keep me updated with the fix to this and/or CONF-20958 as the work around isn't ideal.

            Thanks.

            Dave Furlani added a comment - It's a work around I can implement, although I would prefer a fix to the problem. I do like the added benefit for the admins, raising awareness that they are entering a higher level of permission that having to re-enter their password gives them (and the ability to drop admin access and return to being a normal user too). I think the websudo link you meant was http://confluence.atlassian.com/display/DOC/Configuring+Secure+Administrator+Sessions Although your link did point me in the right direction. Please keep me updated with the fix to this and/or CONF-20958 as the work around isn't ideal. Thanks.

            Vincent Choy (Inactive) added a comment -

            Dave,
            We are just investigating this as crowd does include a custom authenticator which relates to CONF-20958:

            As a workaround you can disable websudo if this is causing a major issue for your instance.

            Hope this helps.

            Vincent Choy (Inactive) added a comment - Dave, We are just investigating this as crowd does include a custom authenticator which relates to CONF-20958 : As a workaround you can disable websudo if this is causing a major issue for your instance. Hope this helps.

              Unassigned Unassigned
              dave.furlani Dave Furlani
              Affected customers:
              0 This affects my team
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: