hi! Please tell me how to filter users to login from only one group (for example - wiki)
Where i should write a filter? In a "User object filter"?
For what "Group Object filter"?
This filter don't work
You can let ldap import all users if you want, and just give the global "Can Use" permission to the "wiki" group. The others will be listed in the directory, but wont be able to log in.
The group object filter limits what groups are imported to the user directory, not what users.
You can write a user object filter using "memberof" possibly if you only want to import the users from a particular group.
i don't have attribute memberof and do not want add this attribute to my openldap server.
Okay, i understand for what group object filter - i do not use it. I use only internal groups. I want to use from ldap only users, not groups.
i have only "memberUid" attribute in ldap group "wiki"
in group "wiki":
memberUid : user1
memberUid : user2
memberUid : user3
and i want to write a filter, which can login users only from ldap group "wiki"
but it's don't work :(
As I mentioned, then Group Object filer is used to limit what groups are imported into the user server on your confluence instance, it doesn't have anything to do with what users are imported.
This is really more an ldap question, not at jira question. You need to figure out an LDAP query that returns just the list of users you want to have imported to the user server
A quick search turned up these articles on how to enable "memberOf" in openldap
As I said though, none of this is technically necessary. Confluence can happily have an entry for every user in your ldap, and you can still limit who can access confluence by only granting the "Can Use" permission to your wiki group. You will have to grant that permission to some group anyway, why not use that one.
So if you look up the user in the confluence list users page
You confirmed that he is not a member of any group that has "Can Use" rights, and he still can log in?
In our organization this is basically how we do it.
The "userAccountControl:1.2.840.1135220.127.116.113:=2" part is to only pull in non-disabled users.
Yes, we use AD, but the concept is most likely similar. Your users should have an LDAP attribute in the user object that says what groups they are a member of. So, you only want to pull in users that are a member of your wiki group. You can ignore the "userAccountControl:1.2.840.113518.104.22.1683:=2" part. I was just explaining why that is in there. The relevant part would be the "memberOf=CN=confluence-users,OU=Path,OU=TO,OU=Group,DC=company,DC=dom" at the end of the query.
Ah, I just read above that you don't have memberOf. If you want to do what you are specifically asking you would need to enable memberOf. There is no way to do it without that. That is the only way to only import a subset of users based on a group membership. However, like @Andrew_Laden mentioned you could import all of them and just not give some of them the "can use" permission. The down side of that is that you will have a bunch of people in the people directory that can't actually use the system. That may or may not be an issue for you, but it is something to keep in mind.
Thanks everyone for answering last week’s question. The winner of the random drawing from those who commented is: @LarryBrock I’ll contact you separately with your prize details. This wee...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events