What is the possibility of user specific data loss if I modify the external user directory configs? Edited

What are the possibilities of user-specific data loss if I modify the existing external user directory (Microsoft AD) configuration?

I want to modify the configuration of the existing user directory coz the LDAP administrator is going to move the DL (distribution list) from one OU to another OU at some different location. So, I would just be updating the user / group filters so that confluence picks up the correct DL.

Could someone suggest the areas of concerns?

 

Abbreviations,

  • OU is Organizational Unit
  • DL is Distribution List
  • AD is Active Directory 

 

 

1 answer

0 vote
Davin Studer Community Champion Dec 27, 2017

There should not be an issue. So long as your membership doesn't change you should be fine. Even if your membership changed you wouldn't really lose any data. You may see pages where the creator or updater is set to something like Unknown User (jsmith), but the pages wont dissapear. And if the user got added back in then it would just link right back up.

Thank you for the reply, David!!!

So could you please explain the "your membership doesn't change" thing more? Unfortunately, I am not very familiar with AD terminologies.

Also, I decided to Disable the Microsoft Active directory under User Directories from confluence administration for the time when AD administrator moves the security group to another OU.

My only intention behind is to stop sync between confluence and AD when configured "security group" moves to another OU and then Enable it again so that confluence can sync the groups and users again w/o any impact. Is my understanding correct?

I am being too cautious coz we recently did this with HipChat and ran into issues (everyone lost their room membership and ownership). We need to know if Confluence will have any similar issues.

Here is a very high-level plan of what I will do,

1. Update the staging confluence server to use ConfTestGroup (IT provided security group for testing sake. This is exactly same as the existing security group in all the terms like location, user, etc.)
2. Do some testing to confirm there aren’t any issues.
3. Stop confluence from syncing security groups from AD
4. Have IT move ConfTestGroup to the new OU
5. Update staging confluence settings to use the new OU
6. Start confluence syncing so that it syncs security groups from new OU
7. Run test cases to confirm nothing broke (Let me know if you can suggest some important cases to be checked)

Thanks, David!!!

Could you please explain "membership does not change" thing a little more?

My very high-level plan to implement the whole change is,
1. Update the staging confluence server to use ConfTestGroup (IT provided security group for testing sake. This is exactly same as the existing security group in all the terms like location, user, etc.)
2. Do some testing to confirm there aren’t any issues.
3. Stop confluence from syncing security groups from AD
4. Have IT move ConfTestGroup to the new OU
5. Update staging confluence to use the new OU
6. Start confluence syncing so that it syncs security groups from new OU
7. Run test cases to confirm nothing broke (Let me know if you can suggest some important cases to be checked)

 

Please let me know how you think it's gonna be.

Davin Studer Community Champion Jan 04, 2018

By membership I am referring to the members of the Active Directory groups. If you change the location of the groups, but do not change the group names or the people in the groups you should not have any issues ... assuming you setup your Active Directory user directory to point to the new location of the groups.

As for disabling the Active Directory user directory I don't think that is what you realy want to do? That will lock out everyone from your Confluence system that was added via Active Directory.

@Davin Studer Thanks for your reply!!!

Yes, the group names and people in the groups will remain same so that's a good news.

Once the AD admin moves the OU to the new location, then I would just update the Microsoft Active Directory (Read Only, with Local Groups) settings under General Administration > User Directories to sync from the new OU.

The exact modification I would make is User Object Filter,

(&(objectcategory=person)(objectclass=user)(memberOf:x.x.x.1xx.x.x.8xx0:=CN=Confluence Users,OU=Groups,OU=new OU name,dc=ABC,dc=com))

Are you suggesting we can update the User Object Filter without disabling the AD user directory?

My concern is, what will happen when confluence tries to sync from old OU location which would be invalid after the OU movement? Don't you think this situation will also lock out everyone from your Confluence system? Please correct me if I am wrong..

Davin Studer Community Champion Jan 05, 2018

By default the directory will sync every hour. So if you get the LDAP config within an hour of the OU being moved everything should be fine. It would be best to just coordinate the move and config update so that they are done at the same time.

Davin Studer Community Champion Jan 05, 2018

Also, you will have to update the filter as the Confluence local admin account. You cannot update a user directory if you are logged in as one of the users that that directory provides. And yes, you do not need to disable the directory.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Jul 10, 2018 in Confluence

We want to see the templates you've created in Confluence!

Hi Community, Jessica here from the Confluence Product Marketing team!  July’s community challenge is all about sharing pictures  — and as an extension of our first post on what ...

716 views 21 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you