「CONFLUENCE」- 接入 LDAP 服务

用户账户管理

删除用户

Delete or Disable Users | version 9.2
https://confluence.atlassian.com/doc/delete-or-disable-users-138318.html

如果用户同时出现在不同的 Directories 中:

  • 需要删除 LDAP 中用户,
  • 需要进行 Unsynced from directory 清理,然后才会出现 Delete 按钮;
  • 如果中途修改过 Directories 类型,可能需要还原,然后再进行清理;

管理员密码重置

Restore Passwords To Recover Admin User Rights | version 8.8
https://confluence.atlassian.com/conf88/restore-passwords-to-recover-admin-user-rights-1354500321.html

# 12/19/2024 我们测试并未生效,或是我们的方法不正确;

接入 LDAP 管理

Connecting to an LDAP Directory | Confluence Data Center 8.9 | Atlassian Documentation

We provide built-in connectors for the most popular LDAP directory servers:

Microsoft Active Directory

Apache Directory Server (ApacheDS)

Apple Open Directory

Fedora Directory Server

Novell eDirectory

OpenDS

OpenLDAP

OpenLDAP Using Posix Schema

Posix Schema for LDAP

Sun Directory Server Enterprise Edition (DSEE)

A generic LDAP directory server

User Directories

Administrator / User management / User Directories / Order

或,针对某些极端场景,修改数据库:cwd_app_dir_mapping;cwd_directory;

接入 Light LDAP 服务

# 05/20/2025 Confluence 9.2.1

Server Settings

  • Name: LDAP Server
  • Directory Type: Generic Directory Server
  • Hostname:
  • Port: 3890
  • Username: cn=admin,ou=people,dc=example,dc=com
  • Password:

LDAP Schema:

  • Base DN: dc=example,dc=com
  • Additional User DN: ou=people
  • Additional Group DN: ou=groups

LDAP Permissions

  • Read Only, with Local Groups
  • Default Group Memberships: confluence-users // 根据提示,首次同步的用户不会进入该组,首次登陆才会进入该组。

Advanced Settings

  • Synchronization Interval (minutes): 1 // 及时同步用户数据,且不担心 LDAP Server 负载

User Schema Settings:

  • User Object Class: inetorgperson
  • User Object Filter: (objectclass=inetorgperson)
  • User Name Attribute: uid
  • User Name RDN Attribute: cn
  • User First Name Attribute: first_name
  • User Last Name Attribute: last_name
  • User Display Name Attribute: cn
  • User Email Attribute: mail
  • User Password Attribute: NotReturned // 通过 ldapsearch 查询,确实无 Password 字段
  • User Password Encryption: SHA // 任意即可
  • User Unique ID Attribute: entryuuid

Group Schema Settings:

  • Group Object Class: groupOfUniqueNames
  • Group Object Filter: (objectClass=groupOfUniqueNames)
  • Group Name Attribute: cn
  • Group Description Attribute: uid

Membership Schema Settings

  • Group Members Attribute: uniquemember
  • User Membership Attribute: memberOf
  • Use the User Membership Attribute: checked

Save and test

# 05/25/2025 当 Save and test 时,显示 Test user can authenticate : Not performed 提示,针对我们的场景,该提示不影响实现需求,所以我们忽略该提示。

其他文档

How to write LDAP search filters |
https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html

[Sol.] … Synchronization failed. See server logs for details …

Unable to find the groupname of the principal error when connecting to an OpenLDAP/FedoraDS directory
User Directory (Active Directory) Synchronisation is failing with ‘Unable to find the groupname of the principal

点击 User Directories / LDAP server / Synchronize 按钮,提示 … Synchronization failed. See server logs for details … 错误。

开启 Confluence LDAP 日志,查看 /var/confluence/logs/atlassian-confluence-security.log 文件,发现 … org.springframework.ldap.UncategorizedLdapException: Unable to find the groupname of the principal … 错误。

...
2024-12-19 16:29:59,140 INFO [Caesium-1-3] [atlassian.crowd.directory.DirectoryCacheImplUsingChangeOperations] addOrUpdateCachedGroups synchronized [ 14 ] groups in [ 4ms ]
2024-12-19 16:29:59,236 INFO [Caesium-1-3] [crowd.directory.rfc4519.RFC4519DirectoryMembershipsIterable] searchChildrenDns Searching for children of 14 groups
2024-12-19 16:29:59,540 ERROR [Caesium-1-3] [ldap.mapper.entity.LDAPGroupAttributesMapper] getGroupNameFromAttributes The following record does not have a groupname: NameAwareAttribute; attributes: {}
2024-12-19 16:29:59,540 ERROR [Caesium-1-3] [atlassian.crowd.directory.DbCachingRemoteDirectory] synchroniseCache Exception occured when performing full synchronization
org.springframework.ldap.UncategorizedLdapException: Unable to find the groupname of the principal.
	at com.atlassian.crowd.directory.ldap.mapper.entity.LDAPGroupAttributesMapper.getGroupNameFromAttributes(LDAPGroupAttributesMapper.java:141)
...

我们猜测是 lldap 返回的信息中并不包含 groupname 字段,而导致 confluence 无法正常工作。

所以,配置 Group Schema Settings 参数(Group Object Class、Group Object Filter),不导入组信息即可(即无法匹配到任何组)。

同步成功的日志:

...  INFO [http-nio-8090-exec-12] [embedded.admin.list.DirectoriesController] sync User directory synchronisation requested: [ LDAP server ], type: [ CONNECTOR ]
...  INFO [Caesium-1-1] [atlassian.crowd.directory.DbCachingRemoteDirectory] synchroniseCache INCREMENTAL synchronisation for directory [ 42139649 ] starting
...  INFO [Caesium-1-1] [atlassian.crowd.directory.DbCachingRemoteDirectory] synchroniseCache Attempting INCREMENTAL synchronisation for directory [ 42139649 ]
...  INFO [Caesium-1-1] [atlassian.crowd.directory.DbCachingRemoteDirectory] synchroniseCache Incremental synchronisation for directory [ 42139649 ] was not completed, falling back to a full synchronisation
...  INFO [Caesium-1-1] [atlassian.crowd.directory.DbCachingRemoteDirectory] synchroniseCache FULL synchronisation for directory [ 42139649 ] starting
...  INFO [Caesium-1-1] [directory.ldap.cache.RemoteDirectoryCacheRefresher] findAllRemoteUsers found [ 43 ] remote users in [ 26 ms ]
...  INFO [Caesium-1-1] [atlassian.crowd.directory.DbCachingRemoteChangeOperations] deleteCachedUsersNotIn scanned and compared [ 43 ] users for delete in DB cache in [ 2ms ]
...  INFO [Caesium-1-1] [atlassian.crowd.directory.DbCachingRemoteChangeOperations] deleteCachedUsersNotIn scanned for deleted users in [ 2ms ]
...  INFO [Caesium-1-1] [atlassian.crowd.directory.DbCachingRemoteChangeOperations] getUsersToAddAndUpdate scanning [ 43 ] users to add or update
...  INFO [Caesium-1-1] [atlassian.crowd.directory.DirectoryCacheImplUsingChangeOperations] addOrUpdateCachedUsers scanned and compared [ 43 ] users for update in DB cache in [ 2ms ]
...  INFO [Caesium-1-1] [atlassian.crowd.directory.DirectoryCacheImplUsingChangeOperations] addOrUpdateCachedUsers synchronised [ 43 ] users in [ 4ms ]
...  INFO [Caesium-1-1] [directory.ldap.cache.RemoteDirectoryCacheRefresher] findAllRemoteGroups found [ 0 ] remote groups in [ 69 ms ]
...  INFO [Caesium-1-1] [atlassian.crowd.directory.DbCachingRemoteChangeOperations] determineGroupsToRemoveByName scanned and compared [ 0 ] groups for delete in DB cache in [ 2ms ]
...  INFO [Caesium-1-1] [atlassian.crowd.directory.DirectoryCacheImplUsingChangeOperations] addOrUpdateCachedGroups scanning [ 0 ] groups to add or update
...  INFO [Caesium-1-1] [atlassian.crowd.directory.DbCachingRemoteChangeOperations] findGroupsToUpdate scanned and compared [ 0 ] groups for update in DB cache in [ 1ms ]
...  INFO [Caesium-1-1] [atlassian.crowd.directory.DirectoryCacheImplUsingChangeOperations] addOrUpdateCachedGroups synchronized [ 0 ] groups in [ 3ms ]
...  INFO [Caesium-1-1] [atlassian.crowd.directory.DbCachingRemoteDirectory] synchroniseCache FULL synchronisation complete for directory [ 42139649 ] in [ 237ms ]