What are the possibilities of user-specific data loss if I modify the existing external user directory (Microsoft AD) configuration?
I want to modify the configuration of the existing user directory coz the LDAP administrator is going to move the DL (distribution list) from one OU to another OU at some different location. So, I would just be updating the user / group filters so that confluence picks up the correct DL.
Could someone suggest the areas of concerns?
Abbreviations,
There should not be an issue. So long as your membership doesn't change you should be fine. Even if your membership changed you wouldn't really lose any data. You may see pages where the creator or updater is set to something like Unknown User (jsmith), but the pages wont dissapear. And if the user got added back in then it would just link right back up.
Thank you for the reply, David!!!
So could you please explain the "your membership doesn't change" thing more? Unfortunately, I am not very familiar with AD terminologies.
Also, I decided to Disable the Microsoft Active directory under User Directories from confluence administration for the time when AD administrator moves the security group to another OU.
My only intention behind is to stop sync between confluence and AD when configured "security group" moves to another OU and then Enable it again so that confluence can sync the groups and users again w/o any impact. Is my understanding correct?
I am being too cautious coz we recently did this with HipChat and ran into issues (everyone lost their room membership and ownership). We need to know if Confluence will have any similar issues.
Here is a very high-level plan of what I will do,
1. Update the staging confluence server to use ConfTestGroup (IT provided security group for testing sake. This is exactly same as the existing security group in all the terms like location, user, etc.)
2. Do some testing to confirm there aren’t any issues.
3. Stop confluence from syncing security groups from AD
4. Have IT move ConfTestGroup to the new OU
5. Update staging confluence settings to use the new OU
6. Start confluence syncing so that it syncs security groups from new OU
7. Run test cases to confirm nothing broke (Let me know if you can suggest some important cases to be checked)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks, David!!!
Could you please explain "membership does not change" thing a little more?
My very high-level plan to implement the whole change is,
1. Update the staging confluence server to use ConfTestGroup (IT provided security group for testing sake. This is exactly same as the existing security group in all the terms like location, user, etc.)
2. Do some testing to confirm there aren’t any issues.
3. Stop confluence from syncing security groups from AD
4. Have IT move ConfTestGroup to the new OU
5. Update staging confluence to use the new OU
6. Start confluence syncing so that it syncs security groups from new OU
7. Run test cases to confirm nothing broke (Let me know if you can suggest some important cases to be checked)
Please let me know how you think it's gonna be.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
By membership I am referring to the members of the Active Directory groups. If you change the location of the groups, but do not change the group names or the people in the groups you should not have any issues ... assuming you setup your Active Directory user directory to point to the new location of the groups.
As for disabling the Active Directory user directory I don't think that is what you realy want to do? That will lock out everyone from your Confluence system that was added via Active Directory.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Davin Studer Thanks for your reply!!!
Yes, the group names and people in the groups will remain same so that's a good news.
Once the AD admin moves the OU to the new location, then I would just update the Microsoft Active Directory (Read Only, with Local Groups) settings under General Administration > User Directories to sync from the new OU.
The exact modification I would make is User Object Filter,
(&(objectcategory=person)(objectclass=user)(memberOf:x.x.x.1xx.x.x.8xx0:=CN=Confluence Users,OU=Groups,OU=new OU name,dc=ABC,dc=com))
Are you suggesting we can update the User Object Filter without disabling the AD user directory?
My concern is, what will happen when confluence tries to sync from old OU location which would be invalid after the OU movement? Don't you think this situation will also lock out everyone from your Confluence system? Please correct me if I am wrong..
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
By default the directory will sync every hour. So if you get the LDAP config within an hour of the OU being moved everything should be fine. It would be best to just coordinate the move and config update so that they are done at the same time.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Also, you will have to update the filter as the Confluence local admin account. You cannot update a user directory if you are logged in as one of the users that that directory provides. And yes, you do not need to disable the directory.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.