Hello,
My users are logged automatically in confluence (without any login page).
Is there a way to log with admin account even if all active directoy servers are down ?
And does the user cache remains after a reboot ?
We have our technical documentation on that system and it should be available even with part of your infrastructure down ( i.e. Active Directory)
I am using Confluence HTTP Authenticator (and no budget for shinnny paid SSO solutions, unfortunately).
Hi Anael,
I believe it depends on the order of the user directories in confluence. If the internal directory is on the first position, then even if the LDAP crashes, you can still login with the internal admin. However if the LDAP is on the first position, the instance will fail with the sync and the subsequent logins won't work.
Regards,
Rodrigo
Even with the correct order my Confluence HTTP Authenticator don't allow local users login.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Anael,
Yes, it is possible to login with admin rights even if your AD server is down.
In this case you would login as a internal administrator, which is stored in the Confluence Internal Directory. Of course, this directory must be enabled for this to work. We don't suggest you disable the Internal directory.
You can identify and recover the password for the local administrator following the instructions from this article.
Regards,
LM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Where does SSO authenticator take headers from i.e. who actually authenticates the user?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hum could be a good idea, I did not think about multiple connectors in tomcat. I will try that
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
All the SSO configuration is in tomcat. I have a apache proxy in front to have a better looking URL (no port 8090).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Re: separate entry/separate port - I meant separate Connector element on a different port
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
So, SSO happens before Confluence (probably in front-facing Apache?). This is where a "bypass" needs to be configured and the questions about "AD being offline" are to that authenticator, not Confluence e.g. if AD is offline, will the SSO authenticator fail completely or let your through to the Confluence login page (where the local admin should work in this situation) In this kind of setup Apache is playing a "reverse proxy" and the location being proxied is configured to do something to perform SSO. You probably need to setup another location in Apache _without SSO_ proxying the same Confluence instance. Confluence may require a separate entry (and a separate port) in server.xml with correct proxy details.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I could use a workaround with a script when an issue occrurs :
Replace the configuration with the SSO-config to be able to login on the wiki.
After the problem is solved : another script to set the SSO-config back in place.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Anael, I certainly do not want to go on and on about this, I did get that you do not have extra budget for any other software or integration right now. However I just wanted to let you let you know about a successful configuration that I have just tested in two minutes time on my test environment. It might be interesting for you if you don't find any other solution. So, as I wrote earlier, I configured Confluence to use Crowd and I linked Crowd to an internal directory containing the local admin accounts and an AD Active Directory containing the Windows users accounts. Windows SSO (no login page) is provided by this add-on: https://marketplace.atlassian.com/plugins/com.cleito.iwaac I stopped the AD domain controller so as to simulate a problem and I was still able to login to Confluence using the local admin accounts without changing any configuration file. Hope this might help. Best regards, Bruno
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am using Confluence HTTP Authenticator (and no budget for shinnny paid SSO solutions, unfortunately).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Luiz,
I have the internal directory enabled and I have set a dummy admin account and set its password.
I have tried to login using that admin account, but no luck unable to login. If I delete the LDAP config I can login with that admin user so the account seems properly set.
Should I use any directory-prefix when I try to login with a local account? (like Internal\dummyAdmin)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Anael, Another option would be to use Crowd. You would configure Confluence to use Crowd as its user management system and link Crowd to two different directories: 1/ Active Directory 2/ An internal Crowd directory in which you would have your local admin accounts. You would then be able to log onto Confluence with your admin accounts even if Active Directory is down. My 2 cents :-) Best regards, Bruno
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As Rodrigo mentions below - check the sequence of directories. I suppose since the login is a "dummy" one - a user with the same login doesn't exist in the LDAP/AD directory.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
And the question still remains - how does this map to your "my users are being logged in automatically" i.e. SSO solution. Would yo be using this account only when SSO fails i.e. your SSO solution does have a fallback URL (the regular login page)?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It don't seems I can have a fallback URL with "Confluence HTTP Authenticator". I will dig the documentation to find if it exists.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It all depends on what solution you are using for SSO - can you share more details? Some SSO solutions (like our EasySSO) provide means to skip SSO via a special URL and revert to regular application (Confluence) login page. You ability to login with an account then depends on how the application is configured - if the account is local then it should be possible. Re: user cache - please elaborate what cache is meant and where.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.