Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Nested groups from OpenLDAP are not being resolved

fuxx
fuxx February 7, 2019

Dear Community,

I am currently setting up a new Confluence server (6.13.2) with OpenLDAP 2.4 as user directory for a self hosted Confluence to evaluate it with JIRA if we can adopt it with 100~ users in future. 

 

On my OpenLDAP I use inetOrgPerson and groupOfUniqueNames to maintain our users and groups. I have OpenLDAP connected to Confluence and synchronisation works so far except for members of nested groups, who are essential for use.

 

My scenario is as follow. I have multiple groups, lets call them 

- confluence
- confluence-admin
- employee
- administrator

 

Now I have multiple users for instance

- employee1
- employee2
- external_user
- admin

 

My groups have users AND nested groups as follows

confluence       (group)
-----------
confluence-admin (group)
employee         (group)
external_user    (user)


confluence-admin (group)
------------
administrator    (group)


employee         (group)
------------
employee1        (user)
employee2        (user)


administrator    (group)
-------------
admin

 

---------------

 

My problem is that only the external user appears in my user directory after synchronisation. All groups are visible too but it seems that the users from the nested groups within the confluence group are not resolved.

 

The current configuration of my OpenLDAP settings (the relevant I think):

 

Server Settings
-----
Directory Type: OpenLDAP
Port: 636 [x]Use SSL


LDAP Schema
-----
Base DN: dc=x,dc=com
Additional User DN: ou=People
Additional Group DN: ou=group


LDAP Permissions
-----
Read Only


Advanced Settings
-----
[x] Secure SSL
[x] Enable Nested Groups
[x] Naive DN Matching


User Schema Settings
-----
User Object Class: inetorgperson
User Object Filter: (&(objectClass=inetOrgPerson)(memberOf=cn=confluence,ou=group,dc=x,dc=com))
User Name Attribute: uid


Group Schema Settings
-----
Group Object Class: groupOfUniqueNames
Group Object Filter: (objectClass=groupOfUniqueNames)
Group Name Attribute: cn
Group Description Attribute: description


Membership Schema Settings
-----
Group Members Attribute: uniqueMember
User Membershop Attribute: memberOf
[ ] Use the User Membership Attribute

 ----

Update:

I have now added the same LDAP settings to JIRA and I have the same effect. It does not lookup groups in groups with nested groups enabled. Either I don't understand the limitations correct or I have wrong parameters or OpenLDAP nested group support is broken. I will open a support ticket in parallel from our business account.

-----

Maybe someone can point me to my failure :)

Thanks in advance,

Stefan M.-P.

Answer
Watch
Like Be the first to like this
1854 views

1 answer

0 votes
Jonathan Smith
Jonathan Smith
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 7, 2019

Hi @fuxx,

  I had a partial group sync during our LDAP setup. The environment was doing an incremental sync which didn't pull over all nested groups.

How I fixed:

  1. Log in as service / admin account (internal directory)
  2. System settings / User directories
  3. Edit Active Directory Server
  4. Un-check incremental sync
  5. Choose Update group membership when logging in = Every time the user logs in
  6. Save and sync

Reminder, test this in DEV before trying in PROD.

Hope this resolves your issue!

- Jonathan

View More Comments
fuxx
fuxx February 7, 2019

Hey @Jonathan Smith,

thanks for the quick and detailed response!

That option is unfortunately for Microsoft Active Directories only and not present for the OpenLDAP in Confluence.

Thank you very much for you hint!

- Stefan

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events