Merging Confluence 5.5 User Accounts in two different LDAP

I have an issue where we have been (forever) in the IT department migrating from one AD to another with different usernames inside them (one has human names, the other has... barcode numbers for lack of a better description). Both have been active for some time as some services are available to one AD and some to another with an end game, ostensibly, of migrating all services to the new AD with IDs rather than human login names.

My Confluence instance has been around since long before the new one came about so, of course, I have a mix now of new and old users from both ADs. What I need to do is change the login name from the old to the new while maintaining groups, content and attachment ownership, etc. This is further complicated that both of each person's credentials have been valid and active and, without thinking, some have logged in as the new user, done stuff, then logged out subsequently logging in as the old user. I myself had a small stub of this as, when testing the user directory function, I logged in with my new ID, found that it was good, logged out and continued working as my old identity.

Keying from the information found in https://answers.atlassian.com/questions/304189/how-to-merge-confluence-accounts(where it seemed to move from local auth to LDAP) I took a shot at converting myself. It seems to have worked but I would like to make sure there isn't anything else I need to do or have set myself up for a Bad Day sometime in the future.

Base assumption for the following: the updates are to migrate content, etc to the current regular use identity. If migration is toward new ID, job done. If toward old ID (to preserve rights, privileges ,etc) altered old ID to be new ID.

The steps I took were:

  1. Found my login IDs from both LDAP by selecting them from username in user_mapping table
  2. Updated creator and lastmodifier columns in attachment table associated with new ID with user_key hash of the regular working ID
  3. Updated creator, last modifier, and username in content table associated with new ID with user_key hash of the regular working ID
  4. Deleted the row in user_mapping containing the NEW login ID (but with user_key migraged away from)
  5. Updated the row in user_mapping containing the OLD login ID to have the NEW login ID associated with the user_key hash of the old login ID. Ends up with NO row in user_mapping for the OLD login ID even though is still extant in AD

At this point.... it broke. I couldn't log in as EITHER user. When I logged in as local admin and queried my name, it found both accounts in the AD but said "no user with the specified email address exists"

Dang.

I started trying to unravel the schema but could NOT find anywhere else in the DB that definitively tied the login ID (which I found in numerous places) with anything else. The only direct correlation I could find are the items I changed above. I got side tracked for a bit but just arbitrarily tried logging in with NEW login ID. It worked. All content, permissions, etc associated now with the new login ID.

I suspect when there was the LDAP sync from AD, it repopulated my new login ID and all is well. My old one still shows with the query but remains "not found" by Confluence. This is not a surprise as there is no row with that login name in the user_mapping table.

End result is ok. All seems to work and the old address doesn't work at ALL (which I'll want when start rolling one by one to users). Questions remaining for me are:

  • Should the following be cleaned out?
    • The old, no longer used login ID remains in cwd_user
    • The child_user_id associated with the old login ID remains in cwd_membership with groups (from old AD and environment) associated with it
  • Do have a Bad Day coming by doing this?
  • Is it possible to get a CURRENT schema of the 5.5 database? The one in "current documentation" seems to be 3.x
  • While I am definitively logged in with new login ID, when I update content, the recent activity shows the OLD "display name" as taken from LDAP and definitly not the new one. Is this kept somewhere that I can't find?

Update:

Today, I had to bounce Confluence (has not been restarted at all since well before posting this question until today). The last problem with the OLD "display name" showing and pointing to a now non-existent personal space solved itself with the restart. I suspect that the restart fixed what may be dynamic pointers or executed some triggers that I couldn't find during long and painful trolling in the DB.

From this, it LOOKS like my manual approach to conversion worked but my questions are still outstanding.

2 answers

Sorry cannot help you solve all issues. But you mentioned barcode numbers for lack of a better description?

Do you mean bar code text?

I was wondering whether there are any differences between the barcode scanner I am testing these days and the one calo mentioned above. Any suggestion will be appreciated. Thanks in advance.

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Apr 13, 2018 in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

1,990 views 25 10
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you