Skip to main content
Compatible with Fusion version: 4.0.0 through 5.12.0
You can configure this datasource to crawl pages, spaces, blog posts, comments, and attachments.
The Atlassian v1 API used for this connector will be removed by Atlassian on December 2, 2024. At that time, this connector will no longer function. Instead, use the Confluence recipe with the REST V2 connector, which works with the Atlassian v2 API.
The Fusion Confluence V1 connector supports Confluence Server versions 5.5 and later and Confluence Cloud. Connector flow

Prerequisites

Perform these prerequisites to ensure the connector can reliably access, crawl, and index your data. Proper setup helps avoid configuration or permission errors, so use the following guidelines to keep your content available for discovery and search in Fusion.
  • The user account in Confluence must be set up.
    • Grant read access to the user account for any spaces and pages being crawled.
    • If you want to crawl attachments, then grant read access to the user account for attachments.
    • If you are indexing ACLs for security trimming, the user account must have the ability to query Users and Groups APIs.

Authentication

Setting up the correct authentication according to your organization’s data governance policies helps keep sensitive data secure while allowing authorized indexing. The methods of authenticating are basic authentication, NTLM authentication for Windows-based enterprise networks with Active Directory, and request authentication for OAuth or a personal access token.

Basic authentication

The authentication options for the Confluence V1 connector in Lucidworks Fusion depend on whether you’re using Confluence Cloud or Confluence Server/Data Center. For Confluence Server/Data Center, you can use a username and password, unless it’s disabled by your organization’s policies. Confluence Cloud does not support password-based login. Instead, use the request authentication method with an API token.

NTLM authentication for Windows/Active Directory

Gather credentials with read access to the Confluence pages and any attachments or APIs you want the connector to crawl. Enter the following in Fusion:
  • Your AD account username as Confluence Username.
  • Your AD account password as Confluence Password or API Token.
  • Your Windows domain as Domain (NTLM auth only).

Request authentication

Request authentication is a flexible method that can use a Bearer token, API key, or OAuth token, depending on your Confluence setup. For Confluence Cloud, go to Atlassian API tokens and generate a new token. After entering your credentials in Fusion, save and test the connection. Fusion should return “Success” or a detailed error such as 401, invalid token.

Common Issues

If you encounter any of the following problems, take the suggested actions to try and resolve them:
  • 401 Unauthorized: Check your token/credentials and ensure your user account has proper access.
  • Token works in browser but not Fusion: Verify HTTPS is used and ensure no firewall blocks Fusion from reaching Confluence.
  • “User does not have permission” error: Ensure the user account has read access to the spaces, pages, and attachments.

Confluence Connector’s security trimming

Why do some field names have different numbers? After crawling some test Confluence content, the Solr index has ACL fields such as acl_users_0_s and acl_groups_0_ss, but the field names can have different numbers. For example, some documents have acl_users_1_s or acl_users_6_s. This is due to the strange way that Confluence handles user and group viewing permissions. Each of these fields represents an ancestor of the item’s security. If a user does not match EACH level of permissions, the user cannot see the document and the doc will be filtered out. You will see three fields that are used during security trimming:
  • ancestorCount_i stores the number of ancestors this item has
  • acl_users_i_s stores the users allowed to see this item at ancestor number i
  • acl_groups_i_s stores the groups allowed to see this item at ancestor number i
Users/groups that want to see a document in Confluence are processed ancestor-by-ancestor linearly. During security trimming, you will give the filter a queryUser and we return the Confluence documents this user can access. The Confluence security trimming algorithm does the following:
  1. Calculate the maximum ancestorCount_i of all documents in the index (max(ancestorCount_i)).
  2. Query Confluence for the Confluence Security Groups that queryUser is part of.
  3. Then for i from [0 to max(ancestorCount_i)], append an AND clause for the security filter to match against each ancestor level for the acl_users_i_s and acl_groups_1_s fields:
    (acl_users_i_s:_lw_confluence_anonymous_ OR acl_users_i_s:queryUser OR acl_group_i_s:group1 OR acl_group_i_s:group2 ... )
For example: 
queryUser = ndipiazza
groupsUserIsIn = EngGroup, NorthAmericaGroup
max(ancestorCount_i) = 3
Then the filter would be: 
(acl_users_0_s:lw_confluence_anonymous OR acl_users_0_s:ndipiazza OR acl_group_0_s:EngGroup OR acl_group_0_s:NorthAmericaGroup) AND(acl_users_1_s:lw_confluence_anonymous OR acl_users_1_s:ndipiazza OR acl_group_1_s:EngGroup OR acl_group_1_s:NorthAmericaGroup) AND(acl_users_2_s:lw_confluence_anonymous OR acl_users_2_s:ndipiazza OR acl_group_2_s:EngGroup OR acl_group_2_s:NorthAmericaGroup)
As you see, because these are AND’d together, if the user does not match EACH level of permissions, the user cannot see the document and the doc will be filtered out.

Learn more

This topic describes how to configure a Confluence site and authenticate with NT Lan Manager (NTLM) to use the Fusion connector.

Configure Active Directory for Confluence

Add a new directory with the following settings:
  • Name. Directory name.
  • Directory Type. Microsoft Active Directory.
  • Hostname. Hostname of server running Lightweight Directory Access Protocol (LDAP).
  • Port. Port number.
  • Username. LDAP user login.
  • Password. LDAP user password.
  • Base DN. Distinguished Name (DN) of the LDAP object that is the root node from which to search for users and groups.
  • Additional User DN. DN prepended to the base DN to limit user search scope.
  • Additional Group DN. DN prepended to the base DN to limit group search scope.
  • Permissions > Read/Write

Create authenticating account

  1. Access the Server Manager in the Active Directory.
  2. Select Roles > Active Directory Domain Services.
  3. Select Active Directory Users and Computers to expand the node.
  4. Expand the directory and right-click Computers to create the new account.
  5. Select the Member of tab.
  6. Select Domain Computers.
  7. Select the General tab and enter values in each field.
    The Computer name field is required.

Configure delegation for the authenticating account

  1. Access the authenticating account and select the Delegation tab.
  2. Select Trust this computer for delegation to specified services only.
  3. In the Trust field, select Use any authentication protocol.
  4. Select Add.
  5. In the Add Services window, select Users or Computers.
  6. Select the server running the netlogon service from the results list and select OK.
  7. In the Service Type column, select netlogon and select OK.
    The Delegation tab displays the netlogon service available for the account.
  8. Save the following script to the Active Directory server: 
    curl -v -L --ntlm -H 'User-Agent: Mozilla/5.0 (compatible; LucidWorks-Anda/4.0)' --negotiate -u 'administrator:FroFro123#' 'http://192.168.1.82:8090/download/attachments/65601/044451.html?version=1&modificationDate=1558624541596&api=v2&download=true'
  9. Execute the command with the hostname and password to set:
    SetComputerPassword.vbs Confluence$@WIN-424E42TCKBB FroFro123#
    The following is a sample result: 
    ' Copyright (c) 2018, IOPLEX Software
'
' All rights reserved.
'
' Redistribution and use in source and binary forms, with or without
' modification, are permitted provided that the following conditions
' are met:
'
'   * Redistributions of source code must retain the above copyright
'     notice, this list of conditions and the following disclaimer.
'
'   * Redistributions in binary form must reproduce the above copyright
'     notice, this list of conditions and the following disclaimer in the
'     documentation and/or other materials provided with the distribution.
'
'   * Neither the name of IOPLEX Software nor the names of its
'     contributors may be used to endorse or promote products derived from
'     this software without specific prior written permission.
'
' THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
' IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
' THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
' PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL COPYRIGHT OWNER OR CONTRIBUTORS
' BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
' OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
' SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
' INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
' CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
' ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
' THE POSSIBILITY OF SUCH DAMAGE.  
Option Explicit  
Dim strPrinc, names, objComputer  
If WScript.arguments.count <> 2 Then
    WScript.Echo "Usage: SetComputerPassword.vbs <ComputerPrincipalName> <Password>"
    WScript.Quit
End If  
strPrinc = WScript.arguments.item(0)
names = Split(strPrinc,"@")  
If Ubound(names) <> 1 Or InStrRev(names(0),"$") <> Len(names(0)) Then
    WScript.Echo "Error: The Computer principal name must be in principal form such as with a $ and @ signs (such as jespa1$@busicorp.local)."
    WScript.Quit
End If  
Set objComputer = GetObject("WinNT://" & names(1) & "/" & names(0))
objComputer.GetInfo
objComputer.SetPassword WScript.arguments.item(1)
objComputer.SetInfo  
WScript.Echo "The password was set successfully."
WScript.Quit

Install and configure EasySSO

  1. Access General Configuration > Find New Apps.
  2. Search for NTLM and select the EasySSO Admin app to install it.
  3. In the jespa Licensing section, select the latest jespa.zip file and download the file.
  4. Install the file and buy a license.
  5. Enter values in the following fields to configure the app:
    • Domain. Fully-qualified domain name (FQDN) of your domain.
    • Account. Active directory authentication account.
    • Password. Authentication account password.
  6. Select Save.
  7. Select Test Connection to verify NTLM authentication with the account logs in to Confluence.

Configuration

When entering configuration values in the UI, use unescaped characters, such as \t for the tab character. When entering configuration values in the API, use escaped characters, such as \\t for the tab character.