Only synchronise users of groups in organisational unit Edited

Dear all,

I have been googling a lot, and thought I was close to an answer, but JIRA keeps giving errors.

I want to connect to AD from JIRA and sync users that are in specific groups that are in an organisational unit. These are my settings

Base DN: dc=connect,dc=local

Add. User dn: {empty}

Add. Group dn: ou=STG-JIRA-SW,ou=GroupSettings

This syncs only groups in the ou, so that's okay. However the users are not in those ou, and I only want to sync users in those groups. I have figured out an LDAP filter, that I have put in the user object filter:

(&(objectCategory=user)(|(memberOf=cn={name},ou=STG-JIRA-SW,ou=GroupSettings,dc=connect,dc=local)(memberOf=cn={name{,ou=ST etc. etc. )))

There are a lot of groups, so this became a long filter query.

The filter works in an LDAP client, but JIRA keeps giving error pages.

What is going wrong and is there a better way to do this?

Thanks in advance.

Kind regards,

Gerben Heinen

1 answer

1 accepted

Accepted Answer
0 votes

Hi Gerben,

Sorry to hear that you are having problems with this, but could you let me know more about the error Jira is throwing when trying to do this?

I suspect that you might be running into this documented bug https://jira.atlassian.com/browse/JRASERVER-36979

There is a current limit on the number of characters that can exist in the user object filter (255).   I can't tell for sure if you're exceeding that since you didn't include the actual filter being used, but this problem is fairly common for environments with complex AD setups.

If you are seeing this Data truncation exception error, then there is a KB that might help here, please see Data truncation due to data too long for column.  That KB includes steps where you can modify the database itself in order to accept larger values for the field that stores that string of characters.

Please note that I would recommend creating a backup of your data before trying this, and that if you do try this, stop Jira first before making these SQL changes.

If this is not the exact problem you are seeing, then I would want to see more information on the specific error message that you see in Jira as well as the logs in Jira when this happens.  You can find the logs for this most likely in the $JIRAHOME/log/atlassian-jira.log file at the time this happens.

Regards,
Andy

Dear Andy,

You're right, I see (String or binary data would be truncated.) in the log file. My user filter is incredibly long (3000+chars), since I have to find all members of every group in the organisational unit.

Is there a better way to find the users of all groups, where the groups are in a specific organisational unit?

Thanks for your help so far.

Kind regards,

Gerben Heinen

ps. I think that increasing the column size in the database to 400, won't solve the problem with my 3000+ ldap filter

I agree that 400 characters won't be enough if you have well over 3000 characters you need to fit into that filter.  I was not clear how long your filter was from your initial post, but the premise of that work-around is the same.  You might be able to expand that field to contain far more than just 255 or 400 characters.  I'm not sure what the upper limit here is.

As for how to best match all these groups:  Well that really depends on the layout of your LDAP structure.  Since you are using Active Directory, that rules out a number of a number of helpful features like extensible matching as mentioned in this KB: How to write LDAP search filters.  

In cases like this I would recommend looking at this KB:  Active Directory User Filter Does Not Search Nested Groups.  It might not perfectly apply to your situation.   However if you change your filter to use that specific AD modifier mentioned in the KB, then this allows you to do a recursive lookup that will match all the user objects that have membership to that group or groups nested inside of that one.   I think you might be able to do this with just a syntax of:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=ou=STG-JIRA-SW,ou=GroupSettings))

... in order to find all the users. 

Please let me know if this helps.

Regards,
Andy

Hello Andy,

AD doesn't support wilcards for the actual group name, so you can not search for all groups in an organisational unit.

I ended up creating a parent group, and added all my groups to that group. When I then search recursively for all members of that parent group, it finally worked.

Thanks for your help in solving this puzzle!

Kind regards,

Gerben Heinen

Awesome, glad to help out.  Thanks for letting us know how this was ultimately resolved.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Apr 22, 2018 in Jira Software

How-to setup a secured Jira Software 7.9.0 on Ubuntu 16.04.4 in less than 30 minutes

...PermissionsStartOnly=true User=www-data Group=www-data ExecStart=/opt/jira/bin/startup.sh ExecStop=/opt/jira/bin/shutdown.sh TimeoutStartSec=120 TimeoutStopSec=600 PrivateTmp=true [Install] WantedBy...

1,747 views 14 13
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you