Can I force the AD domain name for imported LDAP users?

Andy Cippico November 20, 2014

I need to change everyone's UserPrincipalName (UPN) in our AD domain. The only thing that is changing is the domain name, e.g:

Current UPN: andy.chips@domain.local
New UPN: andy.chips@domain.com

If I change the UPN in AD it will wipe out all the existing users with the @domain.local suffix on the next User Directory sync. How do I prevent that and get the User Directory sync to pull in the new UPN whilst keeping the users' existing groups, etc?

I toyed around with changing the User Schema settings in User Directories and tried things like sAMAccountName"domain.com" to force the new domain, but that doesn't work, and to be honest, I'm only guessing at the syntax (assuming there's a valid one).

Alternatively, I assume I'd have to get involved in some hideous SQL queries, and I have no idea where to start with that one.

Advice please.

Andy.

2 answers

1 vote
Deividi Luvison
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 28, 2014

Hey Andy,

My first advise to you is to have your Confluence on version 5.3 (or latest) since we added a table called user_mapping which cointains a hash to represent the user name. If you are already on that version range here are the two tables you would need to work with:

  • cwd_user
  • user_mapping

The second advise is to setup a test instance so you can do the following:

  1. Create a internal user in your test instance.
  2. Do a select * from cwd_user where username = <yourUserName>
  3. Do the same thing on user_mapping table 
  4. Save that records on a notepad.
  5. Now change that user name.
  6. Reap the queries.
  7. Check for all fields that changed.
  8. Now shutdown your staging environment.
  9. Create a script to replace all the domain entries on those tables accordingly.
  10. Start your staging environment.
  11. Profit.

Once confluence starts, it will check for any changes, since the application will see that the user name matches it will not erase or create new entries.

Again this is a non supported procedure by atlassian so make sure to try it on a staging environment and then do a round of testing on your main pages and with all the macros your company most use.

If tests goes fine then backup your database and application directories of production and then give it a try.

Hope it helps smile,

Tks David

0 votes
Andy Cippico November 30, 2014

David,

Thanks for that very helpful advice. It's just a shame that your official support team couldn't give me the same suggestions.

Can I just clarify points 6 and 11 - are those typos?

Many thanks,

Andy.

Deividi Luvison
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 1, 2014

You Welcome, Regarding My steps, yup typos: 6 - Repeat the queries. 11 - Profit! (just a little joke) - http://knowyourmeme.com/memes/profit Another detail is regarding personal spaces, after you do the above queries to update those tables you need to check the entries under content that have "~username". Once you update the cwd_user/user_mapping your user should be able to login with the new domain, however the personal space might have the different name. Also being honest with you the profile info might get outdated. I will see if I get sometime to test a little more in my end tomorrow and update you in here. Lastly we avoid giving that kind of advise over the tickets to avoid setting false expectations :). It might take sometime but I will see if I can check the above ;).

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events