Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Delegated Crowd directory without LDAP Group


1- I'm new to crowd. We have lots of group in LDAP directory that uses for OS security group and I don't want to use them in Atlassian applications. I create a LDAP connector that bring every users and groups from Microsoft LDAP and I create a Delegated Directory in order to import users from LDAP to  I need to have a Delegated LDAP Directory in crowd without that groups. Is it possible to change the configuration of Crowd Directory to achieve this?
2- If I have new users in LDAP directory, How I can sync them with Delegated directory?


Thanks For your answers.

1 answer

1 accepted

1 vote
Answer accepted

Hi Ansar,

If your main concern is not to import the AD groups in Crowd, you actually have two options.

1st option: Create a (single) LDAP connector directory and edit the group object filter in the configuration tab so as to fetch only Atlassian applications groups

2nd option: Create a (single) Delegated authentication directory and then manage your Atlassian applications groups locally in this Crowd directory. You do not need manual synchronisation for new AD users. As detailed in the documentation:

If a user logs in successfully via LDAP authentication but does not yet exist in Crowd, Crowd will automatically add them to the Delegated Authentication directory


Hi Bruno
Thanks for your comment.

I don't familiar with crowd and Active Directories and I do this job according to my role in organization as JIRA Administrator. Which value should I provide in group object filter in order?


For your 2nd option I follow that instruction but It brings all of groups in Active Directory.
Please provide more detailed answers, as I say I'm new to crowd.

Thank you very much

Hi Ansar,

1st option: you have to enter an LDAP filter as detailed on this page:

For instance, if you enter the following value, you will only get the AD groups whose name starts with jira:



2nd option: That's because you created an LDAP connector directory in addition to the Delegated Authentication directory. You just need one single directory (the Delegated Authentication one). If you do not want anything related to AD groups in this directory, please also disable Synchronise group memberships in the connector tab.

Hi Bruno
Thanks for your help

I try first option and it work for me.

But I didn't understand 2nd Option, I have a Microsoft Active Directory in our organization, If I define a delegated connector, how I can import Active Directory users without defining and LDAP Connector in Crowd?

Hi Ansar,

That's what I was explaining in my first post. You do not need to import users manually as they will be automatically added by Crowd upon successful authentication:

If a user logs in successfully via LDAP authentication but does not yet exist in Crowd, Crowd will automatically add them to the Delegated Authentication directory


I do that, but I didn't see any user in Delegated directory even it's connector setup correctly. If I didn't see the users, I can't manage groups and permissions in JIRA and Confluence.
I repeat that I'm so sorry, If I'm not clear with your comment, as I said I didn't use crowd before. If you can please explain more about group and users while using delegated directory, any way I accept your answer and Thanks for your help.

So I now understand. I authenticate my user in an application connector (see screenshot) and after that I see my user in new Delegated LDAP directory.

Last ambiguity is this sentence,"If a user logs in successfully via LDAP authentication", where the user should authenticate in order to show in Delegated directory list, I try my user with Windows log on authentication but I didn't see my user in crowd after that, but "Authentication Test" in application part of Crowd work for me according to attached screenshot


Hi Ansar,

That's right, you have to authenticate on your application, for instance Jira.

You might also want to be aware of a bug that has not been fixed yet by Atlassian in JIRA and Confluence at the time of writing. For newly created users, you will actually need to login as an administrator in JIRA and Confluence and manually synchronise the local user database with the Crowd server. As far as I know you should not face the same issue in other Atlassian products.


i set Read Only with local groups but i still get groups imported.

I have hacked this by breaking the group search e.g. Group Object Filter = (objectCategory=xXxGroup)

horrible i know

What I would ideally like to do is to stop the LDAP search using LDAP groups lookups completely.

I have turned off the user membership attributes for our microsoft active directory and it does not appear to be performing all the group checks now

image2017-1-18 10:50:10.png


Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Confluence

An update on Confluence Cloud customer feedback – June 2022

Hi everyone, We’re always looking at how to improve Confluence and customer feedback plays an important role in making sure we're investing in the areas that will bring the most value to the most c...

174 views 1 3
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you