Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Only synchronise users of groups in organisational unit

Gerben Heinen
Gerben Heinen November 15, 2017

Dear all,

I have been googling a lot, and thought I was close to an answer, but JIRA keeps giving errors.

I want to connect to AD from JIRA and sync users that are in specific groups that are in an organisational unit. These are my settings

Base DN: dc=connect,dc=local

Add. User dn: {empty}

Add. Group dn: ou=STG-JIRA-SW,ou=GroupSettings

This syncs only groups in the ou, so that's okay. However the users are not in those ou, and I only want to sync users in those groups. I have figured out an LDAP filter, that I have put in the user object filter:

(&(objectCategory=user)(|(memberOf=cn={name},ou=STG-JIRA-SW,ou=GroupSettings,dc=connect,dc=local)(memberOf=cn={name{,ou=ST etc. etc. )))

There are a lot of groups, so this became a long filter query.

The filter works in an LDAP client, but JIRA keeps giving error pages.

What is going wrong and is there a better way to do this?

Thanks in advance.

Kind regards,

Gerben Heinen

Answer
Watch
Like Be the first to like this
1466 views

1 answer

1 accepted

0 votes
Answer accepted
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 15, 2017

Hi Gerben,

Sorry to hear that you are having problems with this, but could you let me know more about the error Jira is throwing when trying to do this?

I suspect that you might be running into this documented bug https://jira.atlassian.com/browse/JRASERVER-36979

There is a current limit on the number of characters that can exist in the user object filter (255).   I can't tell for sure if you're exceeding that since you didn't include the actual filter being used, but this problem is fairly common for environments with complex AD setups.

If you are seeing this Data truncation exception error, then there is a KB that might help here, please see Data truncation due to data too long for column.  That KB includes steps where you can modify the database itself in order to accept larger values for the field that stores that string of characters.

Please note that I would recommend creating a backup of your data before trying this, and that if you do try this, stop Jira first before making these SQL changes.

If this is not the exact problem you are seeing, then I would want to see more information on the specific error message that you see in Jira as well as the logs in Jira when this happens.  You can find the logs for this most likely in the $JIRAHOME/log/atlassian-jira.log file at the time this happens.

Regards,
Andy

View More Comments
Gerben Heinen
Gerben Heinen November 15, 2017

Dear Andy,

You're right, I see (String or binary data would be truncated.) in the log file. My user filter is incredibly long (3000+chars), since I have to find all members of every group in the organisational unit.

Is there a better way to find the users of all groups, where the groups are in a specific organisational unit?

Thanks for your help so far.

Kind regards,

Gerben Heinen

Like
Gerben Heinen
Gerben Heinen November 15, 2017

ps. I think that increasing the column size in the database to 400, won't solve the problem with my 3000+ ldap filter

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 15, 2017

I agree that 400 characters won't be enough if you have well over 3000 characters you need to fit into that filter.  I was not clear how long your filter was from your initial post, but the premise of that work-around is the same.  You might be able to expand that field to contain far more than just 255 or 400 characters.  I'm not sure what the upper limit here is.

As for how to best match all these groups:  Well that really depends on the layout of your LDAP structure.  Since you are using Active Directory, that rules out a number of a number of helpful features like extensible matching as mentioned in this KB: How to write LDAP search filters.  

In cases like this I would recommend looking at this KB:  Active Directory User Filter Does Not Search Nested Groups.  It might not perfectly apply to your situation.   However if you change your filter to use that specific AD modifier mentioned in the KB, then this allows you to do a recursive lookup that will match all the user objects that have membership to that group or groups nested inside of that one.   I think you might be able to do this with just a syntax of:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=ou=STG-JIRA-SW,ou=GroupSettings))

... in order to find all the users. 

Please let me know if this helps.

Regards,
Andy

Like
Gerben Heinen
Gerben Heinen November 16, 2017

Hello Andy,

AD doesn't support wilcards for the actual group name, so you can not search for all groups in an organisational unit.

I ended up creating a parent group, and added all my groups to that group. When I then search recursively for all members of that parent group, it finally worked.

Thanks for your help in solving this puzzle!

Kind regards,

Gerben Heinen

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 16, 2017

Awesome, glad to help out.  Thanks for letting us know how this was ultimately resolved.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events