In Confluence, I need to change the existing four AD User Directories being used for authentication and create just a single new User Directory which points to a different LDAP where all the users exist but have completely different user names. Their first name, last name and email should be the same (with possible upper/lower-case differences). I don't find a REST API call I can make to rename users in Confluence, and can't possibly update all of the users manually.
After disabling the four current ADs and adding the new LDAP User Directory, if I just let the new directory synchronize, will it recognize all the current users and update them accordingly? Change their user name, their associated user directory, etc without having them lose any existing permissions or ownership of any objects?
If not, I would think then that the only way to proceed is to update the user's USER_NAME field in the CWD_USER table directly in the database (and possibly the DIRECTORY_ID?) and let the new User Directory synchronize. Any hazards to doing that? Jira and Bitbucket both have an APP_USER table and if that gets out of sync with the CWD_USER table, things go badly wrong. I am not finding an APP_USER table in Confluence.
I understand you want to change from four LDAP user directories to one and the user names are different in the new directory.
Simply changing the user names in cwd_user will not be effective. There is another table, user_mapping that maps each user name to a user key, that key is used throughout the database to identify that user for content associations like bylines and user profiles. There is an attribute "User Unique ID Attribute" that is synched over from LDAP, since this would be different in the new directory the users would be seen as new users.
Any strategy that entails directly modifying the database is going to introduce a lot of complexity and unreliability.
Whatever strategy you decide to go with, I urge you to set up a test instance of Confluence to try the changes on before updating the Production instance. Here is the doc for setting up the test instance: Restoring a Test Instance from Production
My recommendation for changing to the new LDAP servers may sound a little convoluted but should work. The key to my strategy is that you said the email addresses will be the same. Here is what I suggest (in the test instance first of course):
I look forward to hearing how it goes.
So I believe this will work. I have updated my test instance so the user's "username" is the email, and that seems to have updated everyone. My next issue is on my side - our QA LDAP uses different email addresses (so people don't get tons of junk email from QA environments), so I can't enable that User Directory - it will just create new users. I plan on restricting the valid Confluence users to one specific LDAP group, and that group won't be created in our production LDAP until the end of next week. At that point, I can update the new User Directory in my test instance and enable it and continue with your step 4 onward.
I will let you know how that works!
Hello Community, Jessica here from the Confluence product marketing team! Today I wanted to get your takes on project planning –– what works, what doesn’t, how do you know if you’re doing it r...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs