-
Bug
-
Resolution: Not a bug
-
Medium
-
None
-
3.5
-
None
With Confluence 3.5, some LDAP configurations are requiring paged results. Evidently Sun Directory LDAP doesn't support paged results. See also Unable to Log in to Confluence 3.5 with 'LDAP error code 12 Unavailable Critical Extension' Due to Sun Directory Server Enterprise Edition and Paged Results.
- relates to
-
-
- Closed
-
[CONFSERVER-22083] Assess Sun Directory LDAP server and paged results support for Confluence compatibility
Leon, I'm with you! Let me know if we need to look in our production support system for testing. I can arrange that most anytime. I'm in US Central Timezone, Dallas, TX.
I've not read all the response yet, but will test what you ask me to and follow you closely. If you need any details of my config please let me know.
Leon Kolchinsky
added a comment - I'm testing Confluence 4.1 and I can see that there is an issue with it's "delegated Directory".
It seems that Atlassian didn't implement it properly there.
So, I've created an issue here - https://support.atlassian.com/browse/CSP-74150
I'll update you here on results.
Leon Kolchinsky
added a comment - I'm testing Confluence 4.1 and I can see that there is an issue with it's "delegated Directory".
It seems that Atlassian didn't implement it properly there.
So, I've created an issue here - https://support.atlassian.com/browse/CSP-74150
I'll update you here on results. Leon Kolchinsky
added a comment - Hello Ronald,
We had the same issues but found a "workaround:
You can use "Delegated LDAP Authentication".
That way every existing user which already in the Confluence DB will be migrated to the new "cwd_user" table (Confluence is using CROWD modules now) and all new users and their groups will be added upon their first login.
This solution had some serious issues before the following bug was fixed - https://jira.atlassian.com/browse/CONF-22709 (Add on the fly group sync for delegated LDAP authentication.)
But it fixed for 3.5.13 now.
I've also asked to resolve the following issues to make this "Delegated LDAP Authentication" solution fully compatible with 3.2 and earlier versions of Confluence (Pre-"CROWD modules" integration):
1. https://jira.atlassian.com/browse/CONF-23845 - Allow LDAP users to be assigned to groups or permissions prior to initial log in
2. https://jira.atlassian.com/browse/CONF-23846 Clean up/sync delegated LDAP users
Please vote for those issues to make them more attractive for Atlassian to fix!!!
Here is an example of my configuration with our SUN Directory server:
Name: Delegated LDAP Authentication Hybrid Active: true Type: DELEGATING Created date: 2011-10-31 14:40:14.0 Updated date: 2011-10-31 14:40:14.0 Allowed operations: [UPDATE_ROLE_ATTRIBUTE, CREATE_USER, UPDATE_USER_ATTRIBUTE, UPDATE_USER, DELETE_USER, CREATE_ROLE, UPDATE_GROUP, CREATE_GROUP, UPDATE_GROUP_ATTRIBUTE, DELETE_GROUP, DELETE_ROLE, UPDATE_ROLE] Implementation class: com.atlassian.crowd.directory.DelegatedAuthenticationDirectory Encryption type: null Attributes: "autoAddGroups": "confluence-users" "crowd.delegated.directory.auto.create.user": "true" "crowd.delegated.directory.auto.update.user": "true" "crowd.delegated.directory.importGroups": "true" "crowd.delegated.directory.type": "com.atlassian.crowd.directory.SunONE" "ldap.basedn": "o=Monash University,c=AU" "ldap.group.description": "description" "ldap.group.dn": "ou=Groups" "ldap.group.filter": "(objectclass=groupOfUniqueNames)" "ldap.group.name": "cn" "ldap.group.objectclass": "groupOfUniqueNames" "ldap.group.usernames": "uniquemember" "ldap.pagedresults": "false" "ldap.pagedresults.size": "1000" "ldap.password": (not shown) "ldap.referral": "false" "ldap.url": "ldap://my.monash.edu.au:4389" "ldap.user.displayname": "cn" "ldap.user.dn": "null" "ldap.user.email": "mail" "ldap.user.filter": "(&(objectClass=inetOrgPerson)(uid=*))" "ldap.user.firstname": "givenname" "ldap.user.group": "memberOf" "ldap.user.lastname": "sn" "ldap.user.objectclass": "inetOrgPerson" "ldap.user.username": "uid" "ldap.user.username.rdn": "cn" "ldap.userdn": "uid=mdsconfl, o=Monash University, c=AU" "ldap.usermembership.use": "false" "ldap.usermembership.use.for.groups": "false"
Leon Kolchinsky
added a comment - Hello Ronald,
We had the same issues but found a "workaround:
You can use "Delegated LDAP Authentication".
That way every existing user which already in the Confluence DB will be migrated to the new "cwd_user" table (Confluence is using CROWD modules now) and all new users and their groups will be added upon their first login.
This solution had some serious issues before the following bug was fixed - https://jira.atlassian.com/browse/CONF-22709 (Add on the fly group sync for delegated LDAP authentication.)
But it fixed for 3.5.13 now.
I've also asked to resolve the following issues to make this "Delegated LDAP Authentication" solution fully compatible with 3.2 and earlier versions of Confluence (Pre-"CROWD modules" integration):
1. https://jira.atlassian.com/browse/CONF-23845 - Allow LDAP users to be assigned to groups or permissions prior to initial log in
2. https://jira.atlassian.com/browse/CONF-23846 Clean up/sync delegated LDAP users
Please vote for those issues to make them more attractive for Atlassian to fix!!!
Here is an example of my configuration with our SUN Directory server:
Name: Delegated LDAP Authentication Hybrid
Active: true
Type: DELEGATING
Created date: 2011-10-31 14:40:14.0
Updated date: 2011-10-31 14:40:14.0
Allowed operations: [UPDATE_ROLE_ATTRIBUTE, CREATE_USER, UPDATE_USER_ATTRIBUTE, UPDATE_USER, DELETE_USER, CREATE_ROLE, UPDATE_GROUP, CREATE_GROUP, UPDATE_GROUP_ATTRIBUTE, DELETE_GROUP, DELETE_ROLE, UPDATE_ROLE]
Implementation class: com.atlassian.crowd.directory.DelegatedAuthenticationDirectory
Encryption type: null
Attributes:
"autoAddGroups" : "confluence-users"
"crowd.delegated.directory.auto.create.user" : " true "
"crowd.delegated.directory.auto.update.user" : " true "
"crowd.delegated.directory.importGroups" : " true "
"crowd.delegated.directory.type" : "com.atlassian.crowd.directory.SunONE"
"ldap.basedn" : "o=Monash University,c=AU"
"ldap.group.description" : "description"
"ldap.group.dn" : "ou=Groups"
"ldap.group.filter" : "(objectclass=groupOfUniqueNames)"
"ldap.group.name" : "cn"
"ldap.group.objectclass" : "groupOfUniqueNames"
"ldap.group.usernames" : "uniquemember"
"ldap.pagedresults" : " false "
"ldap.pagedresults.size" : "1000"
"ldap.password" : (not shown)
"ldap.referral" : " false "
"ldap.url" : "ldap: //my.monash.edu.au:4389"
"ldap.user.displayname" : "cn"
"ldap.user.dn" : " null "
"ldap.user.email" : "mail"
"ldap.user.filter" : "(&(objectClass=inetOrgPerson)(uid=*))"
"ldap.user.firstname" : "givenname"
"ldap.user.group" : "memberOf"
"ldap.user.lastname" : "sn"
"ldap.user.objectclass" : "inetOrgPerson"
"ldap.user.username" : "uid"
"ldap.user.username.rdn" : "cn"
"ldap.userdn" : "uid=mdsconfl, o=Monash University, c=AU"
"ldap.usermembership.use" : " false "
"ldap.usermembership.use. for .groups" : " false "
Hi Ronald, please open a support ticket for this. We'll want to investigate your specific configuration further. This was closed as 'not a bug' because we couldn't replicate it. Hopefully we can set paging or find a configuration to work for you, or figure out the configuration such that we can reopen this improvement/bug.
This issue says its resolved. is it? I still have problems with the SUN Directory server, and we cannot use Confluence, Crowd or Jira with our Corp LDAP (SDS 5.2, will not be upgraded anytime soon). We're at 3.5.13 Confluence, and need to set up 70K users manually? You can guess what the answer to continued use of Confluence will be.......
Can someone tell me how this is progressing elsewhere if it has not been stopped?
Hi,
we are planning to upgrade from 3.0.0_01 to 3.5.9 and regarding LDAP are experiencing the following error with SunONE Directory Server:
[LDAP: error code 4 - Sizelimit Exceeded]
I know this is described here (Unable to Log In with Confluence 3.5 or Later Due to 'LDAP error code 4 - Sizelimit Exceeded').
When enabling 'Use Paged Results' Confluence gets the following error
OperationNotSupportedException: [LDAP: error code 12 - The server is not configured to pass through control 1.2.840.113556.1.4.319
which is also described here.
LDAP connection is working in 3.0.0_01.
Is there a solution for this problem?
Thanks
Martin
If you're getting the problem mentioned in this case and you're actually using Active Directory (not Sun Directory LDAP server), you will need to set the usernameAttribute value to 'sAMAccountName' in atlassian-user.xml when you upgrade to Confluence 3.5. This is how Confluence works out that your directory configuration requires paged results to be enabled during the upgrade process.
I've tested Sun DSEE 6.0 (with paged results disabled) and haven't managed to see any problems with Confluence with 2000 users.
If you're having a problem with a supported directory server after upgrading to Confluence 3.5, please contact support.
The only major difference I can see in the configuration is one line in the atlassian-user DefaultLdapContextFactory:
result.put(Context.BATCHSIZE, Integer.toString(connectionProperties.getSearchBatchSize()));
This might affect the ability to work with Sun directory server. The default for this value in atlassian-user was 100. Going to talk with the Crowd guys to see whether we can test this somehow.
Note to customers and support: there is no way to set this value in Confluence 3.5. We're still looking into whether this is the cause.
Hi Ronald,
Please bear in mind that I'm not working for Atlassian.
I'm just using the same "User Directory" as you here in Monash University (Melbourne).
I can only suggest to upgrade to 3.5.13 (and then you could upgrade to 4.1 later on) and use "Internal with LDAP Authentication User Directory" Dir.
I'm attaching config. that worked for me ldap6.jpg.
Your mileage may vary.
Cheers,
Leon Kolchinsky