Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

What is the possibility of user specific data loss if I modify the external user directory configs?

Akul Bhatnagar
Akul Bhatnagar December 27, 2017

What are the possibilities of user-specific data loss if I modify the existing external user directory (Microsoft AD) configuration?

I want to modify the configuration of the existing user directory coz the LDAP administrator is going to move the DL (distribution list) from one OU to another OU at some different location. So, I would just be updating the user / group filters so that confluence picks up the correct DL.

Could someone suggest the areas of concerns?

 

Abbreviations,

  • OU is Organizational Unit
  • DL is Distribution List
  • AD is Active Directory 

 

 

Answer
Watch
Like Be the first to like this
606 views

1 answer

0 votes
Davin Studer
Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 27, 2017

There should not be an issue. So long as your membership doesn't change you should be fine. Even if your membership changed you wouldn't really lose any data. You may see pages where the creator or updater is set to something like Unknown User (jsmith), but the pages wont dissapear. And if the user got added back in then it would just link right back up.

View More Comments
Akul Bhatnagar
Akul Bhatnagar January 3, 2018

Thank you for the reply, David!!!

So could you please explain the "your membership doesn't change" thing more? Unfortunately, I am not very familiar with AD terminologies.

Also, I decided to Disable the Microsoft Active directory under User Directories from confluence administration for the time when AD administrator moves the security group to another OU.

My only intention behind is to stop sync between confluence and AD when configured "security group" moves to another OU and then Enable it again so that confluence can sync the groups and users again w/o any impact. Is my understanding correct?

I am being too cautious coz we recently did this with HipChat and ran into issues (everyone lost their room membership and ownership). We need to know if Confluence will have any similar issues.

Here is a very high-level plan of what I will do,

1. Update the staging confluence server to use ConfTestGroup (IT provided security group for testing sake. This is exactly same as the existing security group in all the terms like location, user, etc.)
2. Do some testing to confirm there aren’t any issues.
3. Stop confluence from syncing security groups from AD
4. Have IT move ConfTestGroup to the new OU
5. Update staging confluence settings to use the new OU
6. Start confluence syncing so that it syncs security groups from new OU
7. Run test cases to confirm nothing broke (Let me know if you can suggest some important cases to be checked)

Like
Akul Bhatnagar
Akul Bhatnagar January 4, 2018

Thanks, David!!!

Could you please explain "membership does not change" thing a little more?

My very high-level plan to implement the whole change is,
1. Update the staging confluence server to use ConfTestGroup (IT provided security group for testing sake. This is exactly same as the existing security group in all the terms like location, user, etc.)
2. Do some testing to confirm there aren’t any issues.
3. Stop confluence from syncing security groups from AD
4. Have IT move ConfTestGroup to the new OU
5. Update staging confluence to use the new OU
6. Start confluence syncing so that it syncs security groups from new OU
7. Run test cases to confirm nothing broke (Let me know if you can suggest some important cases to be checked)

 

Please let me know how you think it's gonna be.

Like
Davin Studer
Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 4, 2018

By membership I am referring to the members of the Active Directory groups. If you change the location of the groups, but do not change the group names or the people in the groups you should not have any issues ... assuming you setup your Active Directory user directory to point to the new location of the groups.

As for disabling the Active Directory user directory I don't think that is what you realy want to do? That will lock out everyone from your Confluence system that was added via Active Directory.

Like
Akul Bhatnagar
Akul Bhatnagar January 4, 2018

@Davin Studer Thanks for your reply!!!

Yes, the group names and people in the groups will remain same so that's a good news.

Once the AD admin moves the OU to the new location, then I would just update the Microsoft Active Directory (Read Only, with Local Groups) settings under General Administration > User Directories to sync from the new OU.

The exact modification I would make is User Object Filter,

(&(objectcategory=person)(objectclass=user)(memberOf:x.x.x.1xx.x.x.8xx0:=CN=Confluence Users,OU=Groups,OU=new OU name,dc=ABC,dc=com))

Are you suggesting we can update the User Object Filter without disabling the AD user directory?

My concern is, what will happen when confluence tries to sync from old OU location which would be invalid after the OU movement? Don't you think this situation will also lock out everyone from your Confluence system? Please correct me if I am wrong..

Like
Davin Studer
Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 5, 2018

By default the directory will sync every hour. So if you get the LDAP config within an hour of the OU being moved everything should be fine. It would be best to just coordinate the move and config update so that they are done at the same time.

Like
Davin Studer
Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 5, 2018

Also, you will have to update the filter as the Confluence local admin account. You cannot update a user directory if you are logged in as one of the users that that directory provides. And yes, you do not need to disable the directory.

Like
Akul Bhatnagar
Akul Bhatnagar January 7, 2018

Thanks, @Davin Studer

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events