Our company is using Confluence 6.4.1. Only Internal directory is enabled. Recently we are planning to enable AD integration. As far as I know, internal directory can work parallel with AD. Therefore, user can be created with internal directory OR login with an AD account. Am I correct?
Our existing practice to create Confluence account is always follow the user's AD login name. (e.g. my AD login is "Domain\mark". Then my confluence login will be "mark") What will happen if we enabled AD integration and enabled "domain\mark" to sing in confluence? When I login, which account Confluence will be recognized?
Finally, anyway we can tell Confluence two logins are referring to same account? (e.g. Domain\mark = mark)
When adding Active Directory to Confluence, you may want to consider the following:
In summary, whichever directory you want to use for login, you will want to make sure that it's in the first place. You can read the above article for some other considerations.
Group permissions will be aggregated, so if the username is the same then the groups listed in both Internal and AD will be combined for that user.
I think this should answer your questions. Once you have reviewed the above article, can you let us know if you have any additional questions?
You are correct, you can use both directories in parallel, so you can create or login user with both.
You can read Connecting to an LDAP Directory for more details and specifications on how exactly integration is happening and what attributes are used and how.
For your final question, as long as you follow your existing practice or maintaining the same user ID, local and external directory accounts should merge. The only time they would not merge, would be if user IDs are different, as described in Merging user accounts in Confluence - Local and External Directories KB, but even then, there is a workaround.
Hope this clarifies your questions, let us know if you have any further queries.
Hi Igor, thanks for your reply.
It seems we need to review all Internal directory's username before adding AD. Because we have some username (e.g. tester) have a matching name in AD but belonging to different users or purpose. Confluence will treat them as same person and the only condition is "same username".
Also, do Atlassian have some document or guideline how to remove all non-admin user from Internal directory? Our ultimate goal switch Confluence to 100% AD controlled. I think we only need to check the permission setup for each Internal user. Anything else we need to consider?
Sorry just have another question in mind, how about the user count (for license) if we are using both AD and ID? The same user will not be double counted?
If the users are in fact merged after AD is added, they should not count towards license individually, if they are, try clearing the cache from General Configuration >> Cache management >> Flush All.
See License count is incorrect or disabled users are counted towards the license KB for more information.
In some situations, they might count individually towards license if they did more merge properly.
License count is based only on Global Permission membership. So a user will count towards license if:
To have proper testing and control over whom of your AD users are counted towards the license or have access to Confluence, after adding AD you can modify global permissions to only allow a certain group/groups to have global permissions, and remove any other groups, this way only members of the group/groups in question will be counted towards license.
This should also prevent users that did not merge properly for whatever reason, from counting towards your license. For example:
Hope this explained a bit how merging could work.
The approach sounds great. Just to clarify step 4 [You modify Global Permissions, remove confluence-users from the access list, thus removing Can Use permission, at the same time, you grant AD group ad-users-confluence global Can Use permission. ]
In our existing confluence, some pages have setup restriction that is not easy to identity unless you check page by page.
So, after remove confluence-users, the 9 users still remain same permission including restricted pages? They still exist in Confluence groups that previously joined?
Sorry for late reply, slipped my eyes.
Yes, all groups will remain the same, and confluence-users can always be added back and given Can Use permissions. Local accounts and their properties will not go away. There is a DB query way to identify which users have access to which spaces if that helps How to list which spaces a user can access.
This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.Read more
Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs