It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Only synchronise users of groups in organisational unit Edited

Gerben Heinen Nov 15, 2017

Dear all,

I have been googling a lot, and thought I was close to an answer, but JIRA keeps giving errors.

I want to connect to AD from JIRA and sync users that are in specific groups that are in an organisational unit. These are my settings

Base DN: dc=connect,dc=local

Add. User dn: {empty}

Add. Group dn: ou=STG-JIRA-SW,ou=GroupSettings

This syncs only groups in the ou, so that's okay. However the users are not in those ou, and I only want to sync users in those groups. I have figured out an LDAP filter, that I have put in the user object filter:

(&(objectCategory=user)(|(memberOf=cn={name},ou=STG-JIRA-SW,ou=GroupSettings,dc=connect,dc=local)(memberOf=cn={name{,ou=ST etc. etc. )))

There are a lot of groups, so this became a long filter query.

The filter works in an LDAP client, but JIRA keeps giving error pages.

What is going wrong and is there a better way to do this?

Thanks in advance.

Kind regards,

Gerben Heinen

1 answer

1 accepted

0 votes
Answer accepted
Andrew Heinzer Atlassian Team Nov 15, 2017

Hi Gerben,

Sorry to hear that you are having problems with this, but could you let me know more about the error Jira is throwing when trying to do this?

I suspect that you might be running into this documented bug

There is a current limit on the number of characters that can exist in the user object filter (255).   I can't tell for sure if you're exceeding that since you didn't include the actual filter being used, but this problem is fairly common for environments with complex AD setups.

If you are seeing this Data truncation exception error, then there is a KB that might help here, please see Data truncation due to data too long for column.  That KB includes steps where you can modify the database itself in order to accept larger values for the field that stores that string of characters.

Please note that I would recommend creating a backup of your data before trying this, and that if you do try this, stop Jira first before making these SQL changes.

If this is not the exact problem you are seeing, then I would want to see more information on the specific error message that you see in Jira as well as the logs in Jira when this happens.  You can find the logs for this most likely in the $JIRAHOME/log/atlassian-jira.log file at the time this happens.


Gerben Heinen Nov 15, 2017

Dear Andy,

You're right, I see (String or binary data would be truncated.) in the log file. My user filter is incredibly long (3000+chars), since I have to find all members of every group in the organisational unit.

Is there a better way to find the users of all groups, where the groups are in a specific organisational unit?

Thanks for your help so far.

Kind regards,

Gerben Heinen

Gerben Heinen Nov 15, 2017

ps. I think that increasing the column size in the database to 400, won't solve the problem with my 3000+ ldap filter

Andrew Heinzer Atlassian Team Nov 15, 2017

I agree that 400 characters won't be enough if you have well over 3000 characters you need to fit into that filter.  I was not clear how long your filter was from your initial post, but the premise of that work-around is the same.  You might be able to expand that field to contain far more than just 255 or 400 characters.  I'm not sure what the upper limit here is.

As for how to best match all these groups:  Well that really depends on the layout of your LDAP structure.  Since you are using Active Directory, that rules out a number of a number of helpful features like extensible matching as mentioned in this KB: How to write LDAP search filters.  

In cases like this I would recommend looking at this KB:  Active Directory User Filter Does Not Search Nested Groups.  It might not perfectly apply to your situation.   However if you change your filter to use that specific AD modifier mentioned in the KB, then this allows you to do a recursive lookup that will match all the user objects that have membership to that group or groups nested inside of that one.   I think you might be able to do this with just a syntax of:


... in order to find all the users. 

Please let me know if this helps.


Gerben Heinen Nov 16, 2017

Hello Andy,

AD doesn't support wilcards for the actual group name, so you can not search for all groups in an organisational unit.

I ended up creating a parent group, and added all my groups to that group. When I then search recursively for all members of that parent group, it finally worked.

Thanks for your help in solving this puzzle!

Kind regards,

Gerben Heinen

Andrew Heinzer Atlassian Team Nov 16, 2017

Awesome, glad to help out.  Thanks for letting us know how this was ultimately resolved.

Suggest an answer

Log in or Sign up to answer
This widget could not be displayed.
This widget could not be displayed.
Community showcase
Published in Jira Software

How to prevent the propagation of unused project schemes, workflows & screens in Jira software

Atlassian ranks project attributes as the third most important factor impacting performance in the category of data. It’s not surprising, since project attributes are precisely the rules used to ma...

1,509 views 1 19
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you