Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Group Membership not found accross AD directories

Winfried Mühl
Winfried Mühl January 9, 2019

Dear all,

in Confluence 6.11 we are evaluating the restrictions in using one user account from one Active Directory (AD-1) which is member of a group in another Active Directory (AD-2).
Our test scenario in details

- in AD-1 (domain1): user XY is an account name
- in AD-2 (domain2): user XY from AD-1 is referenced as a member in a universal group TEST_GROUP
-- ! ATTENTION PLEASE: !
--- MEMBERSHIP is a REFERENCE to user XY in AD-1 (via distinguishedName CN=XY,OU=dep,OU=org,DC=domain1,...)
--- in AD-2 NO USER with NAME XY exists !

The directory list order is: first AD-1, second AD-2.

A query for user XY in >Confluence administration >Users results in
- User XY is found as account in AD-1 (domain1)
- BUT: the group membership of XY(@AD-1; domain2) in TEST_GROUP of AD-2 is not found

Also: when looking up the members of TEST_GROUP (AD-2 / domain2) in >Confluence administration >Groups  the referenced external AD account XY (@AD-1) is not found.

If a user account with NAME XY (not only reference) is present in AD-2 then his group memberships are found (even if this user is disabled). But this redundancy of account names (same name in two directories) is not what we want!

My conclusion: Confluence will only find group memberships if the user account name exists in the Active Directory that hosts the group(s). A LDAP Reference to an external account is unsufficient!?

All hints for a solution or workaround are gratefully appreciated! ;-)

Best
Winfried

 

Answer
Watch
Like Be the first to like this
721 views

1 answer

0 votes
Stephen Sifers
Stephen Sifers
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 11, 2019

Hello Winfried,

Within Confluence you are able to utilize multiple user directories. However, there are some items you need to be aware of when doing so:

Avoid duplicate usernames across directories. If you are connecting to more than one user directory, we recommend that you ensure the usernames are unique to one directory. For example, we do not recommend that you have a user jsmith in both 'Directory1' and 'Directory2'. The reason is the potential for confusion, especially if you swap the order of the directories. Changing the directory order can change the user that a given username refers to.

Source Document: Managing Multiple Directories

This seems to be the cause of the issue you’re reporting. The user has the same username in both directories causing items from AD-2 to not show but items from AD-1 to display. This is also most likely due to the ordering of the directories in Confluence.

In short, If the username is the same within both directories, then the highest ordered directory will be precedence above the others.

I hope this helps clarify the issue you’re having with multiple user directories.

Regards,
Stephen Sifers

View More Comments
Winfried Mühl
Winfried Mühl January 12, 2019

Hello Stephen,

thanks for your quick support answer to my request!

I was already familiar with the hint you gave. Obviously my request did not clearly point out the essence of my issue! So I have restated it in hope that it is clearer now.

I would appreciate if you take a second look on it :-)
Thanks a lot
Winfried

Like
Stephen Sifers
Stephen Sifers
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 14, 2019

Hello again Winfried,

Since you're using 2 directories, your primary directory will be the master source. Your second directory will not be an amendment to the first. If users are named or referenced, they will be treated the same (with the primary directory taking precedence.)

Ideally, you have two options to accomplish this:

  1. Connect the primary Domain controller for the forest (which includes both AD sites)
  2. Used Atlassian Crowd for an aggregate for User/Group management: Atlassian Crowd

I hope this proves helpful in configuring multiple directories for user management within Confluence.

Regards,
Stephen Sifers

Like
Winfried Mühl
Winfried Mühl January 15, 2019

Thanks a lot for your revision of my issue, Stephen!

I think your answer will help us further on.
We will try to solve our problem according to your suggested 1st solution to send queries BOTH for USERS AND GROUPs to the forest instead of distinct directories.

Again thanks a lot!

Best regards,

Winfried Mühl

Like Stephen Sifers likes this
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events