It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Filter group openldap confluence

hi! Please tell me how to filter users to login from only one group (for example - wiki)

 

Where i should write a filter? In a "User object filter"?

 

For what "Group Object filter"?

 

This filter don't work

(&(objectClass=posixGroup)(cn=wiki))

2 answers

You can let ldap import all users if you want, and just give the global "Can Use" permission to the "wiki" group. The others will be listed in the directory, but wont be able to log in.

The group object filter limits what groups are imported to the user directory, not what users.

You can write a user object filter using "memberof" possibly if you only want to import the users from a particular group.  

i don't have attribute memberof and do not want add this attribute to my openldap server.

 

Okay, i understand for what group object filter - i do not use it. I use only internal groups. I want to use from ldap only users, not groups.

 

i have only "memberUid" attribute in ldap group "wiki"

for example

in group "wiki":

memberUid : user1

memberUid : user2

memberUid : user3

 

and i want to write a filter, which can login users only from ldap group "wiki"

 

something like

(&(objectClass=posixGroup)(cn=wiki)(memberUid=%s))

but it's don't work :(

As I mentioned, then Group Object filer is used to limit what groups are imported into the user server on your confluence instance, it doesn't have anything to do with what users are imported.

This is really more an ldap question, not at jira question. You need to figure out an LDAP query that returns just the list of users you want to have imported to the user server

A quick search turned up these articles on how to enable "memberOf" in openldap

https://www.adimian.com/blog/2014/10/how-to-enable-memberof-using-openldap/

https://tylersguides.com/guides/openldap-memberof-overlay/

https://www.openldap.org/doc/admin24/overlays.html

 

As I said though, none of this is technically necessary. Confluence can happily have an entry for every user in your ldap, and you can still limit who can access confluence by only granting the "Can Use" permission to your wiki group. You will have to grant that permission to some group anyway, why not use that one.

Like Davin_Studer likes this

When i delete user from group "wiki" in ldap, user anyway able to auth in confluence. Why?

There is a delay, the sync with ldap only runs periodically. If you want it to take effect immediately, you have to select "synchronize" for you directory entry from the "User Directories" page.

Who else has the "Can use" global permission?

in confluence have internal groups (such as "team", "confluence-users") - these groups have "can use"

 

But my deleted user only in group "wiki"

So if you look up the user in the confluence list users page 

https://YOURCONFLUENCESERVER/admin/users/viewuser.action?username=USERNAME

You confirmed that he is not a member of any group that has "Can Use" rights, and he still can log in?

0 votes
Davin_Studer Community Leader Sep 18, 2019

In our organization this is basically how we do it.

Group Filter

(&(objectCategory=Group)(sAMAccountName=confluence*))

User Filter

 (&(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf=CN=confluence-users,OU=Path,OU=TO,OU=Group,DC=company,DC=dom))

 The "userAccountControl:1.2.840.113556.1.4.803:=2" part is to only pull in non-disabled users.

This is Active Directory?

 

I use openldap with another filters and syntax

Davin_Studer Community Leader Sep 19, 2019

Yes, we use AD, but the concept is most likely similar. Your users should have an LDAP attribute in the user object that says what groups they are a member of. So, you only want to pull in users that are a member of your wiki group. You can ignore the "userAccountControl:1.2.840.113556.1.4.803:=2" part. I was just explaining why that is in there. The relevant part would be the "memberOf=CN=confluence-users,OU=Path,OU=TO,OU=Group,DC=company,DC=dom" at the end of the query.

Davin_Studer Community Leader Sep 19, 2019

Ah, I just read above that you don't have memberOf. If you want to do what you are specifically asking you would need to enable memberOf. There is no way to do it without that. That is the only way to only import a subset of users based on a group membership. However, like @Andrew_Laden mentioned you could import all of them and just not give some of them the "can use" permission. The down side of that is that you will have a bunch of people in the people directory that can't actually use the system. That may or may not be an issue for you, but it is something to keep in mind.

Like Andrew_Laden likes this

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

How is your team having fun and bonding, remotely, utilizing Confluence?

Thanks everyone for answering last week’s question. The winner of the random drawing from those who commented is: @LarryBrock I’ll contact you separately with your prize details. This wee...

276 views 9 6
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you