Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Confluence AD sync keeping users in group that are no longer members

Tobias Eisenhardt
Tobias Eisenhardt January 22, 2018

Hello,

our Confluence instance is connected to our AD, authorizing all users of the group "wiki", which inherits its users fromthe group "IT-Admins". Before the "wiki" group inherited its users from the group "IT1". Although multiple resyncs have been done, according to confluence The group "wiki" still contains all users from "IT1".

"wiki" only inherits users from "IT-Admins", which itself contains no other groups, only 7 Users. "IT1" contains 11 Users, spread to multiple groups and thus exceeding our license.

Answer
Watch
Like Be the first to like this
4226 views

1 answer

1 accepted

0 votes
Answer accepted
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 22, 2018

Hi Tobias,

I understand you are using an LDAP (AD) directory for user management for your Confluence server instance. The wiki  group in AD (group used to manage permission to use Confluence) now contains only the IT-Admins group but formerly contained the IT1 group. The IT1 group members are still appearing as members of the wiki group in Confluence. You manually synchronized the AD User Directory in Confluence but the IT1 group members still appear as members of wiki in Confluence.

My first suggestion is:

  1. Make sure incremental syncronisation is disabled in the LDAP user directory in Confluence. The checkbox is under the Advanced Settings which are collapsed by default. Connecting to an LDAP Directory describes all the settings and what they are for.
  2. Synchronize again after disabling incremental sync.
  3. Check the group memberships again

Secondly, I recommend eliminating the possibility that the wiki group members that are not in IT1 are maybe in a different user directory in Confluence and appearing as members of wiki because of aggregating group memberships. Please see Permissions on Managing Multiple Directories.

I look forward to hearing whether the group memberships update as expected after disabling incremental synchronization, and to any other results of your investigation.

Thanks,

Ann

View More Comments
Tobias Eisenhardt
Tobias Eisenhardt January 23, 2018

Hi Ann,

thanks for your reply

I checked the points you mentioned above without any change.

But I found that removing the extra domain filters for users and groups fixed the issue although I have no idea how. All users and groups in the setup were beneath the set subdomains.

Like
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 23, 2018

Hi Tobias,

That is great news to hear the group memberships synchronized properly at last. I can only speculate that synchronizing from the base DN without the additional group and user DNs forced the cache to refresh.

If your base DN is set to the top of the Active Directory, and you don't have the additional group and user DNs, you could run into: Some users are unable to login due to Active Directory 'follow referrals' configuration Please consider connecting to the AD global catalog server if you are not already: How do I search from Active Directory's global catalog?

Cheers,

Ann

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events