Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Active Directory and nested groups

David Keaveny
David Keaveny April 17, 2013

Using standalone JIRA 5.2.10 running on Windows and connecting to Active Directory with nested groups enabled in Advanced Settings, I am finding that nested groups are not working. In AD, I set up a group base OU, _Jira, and within that set up my JIRA groups (e.g. JIRA User, JIRA Developer). To some groups I added individual users (e.g. to JIRA Administrator), while to other groups I added groups defined outside the _Jira OU (e.g. an existing group named Developers was added to JIRA Developer).

When I synchronise AD with JIRA, the groups in _Jira appear as expected, but only users explicitly assigned are being shown as members. Users who are members of groups that are members of the JIRA groups are not appearing - is it because those groups are outside the _Jira OU, and if so, is there a workaround?

Answer
Watch
Like Be the first to like this
2938 views

2 answers

1 accepted

1 vote
Answer accepted
Colin Goudie
Colin Goudie
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 22, 2013

All groups that are found will appear as groups in JIRA's User Management Section. If you only wanted a small subset of the groups to be used, you could provide their CN as additional parameters in the Group Filter Query. e.g.

(&(objectCategory=Group)(CN=JIRA_*))

View More Comments
David Keaveny
David Keaveny May 12, 2013

I moved all the JIRA_ groups into the Groups folder and deleted the JIRA folder, then updated my AD configuration in JIRA accordingl and applied the group filter that you suggest; but the end result is still the same. Users who are explicitly assigned to a JIRA_ group appear in those groups in JIRA, but users who are implicitly assigned to a JIRA_ group by virtue of being in a non-JIRA_ group assigned to a JIRA_ group do not.

I don't know whether this is a limitation of LDAP as a whole, or Atlassian's implementation of the AD support. It's beginning to sound like we will have to swallow the extra administration overhead, and assign users to JIRA Users as well as Users, for example.

Like
David Keaveny
David Keaveny May 20, 2013

In the end I moved the JIRA groups into the same folder as the rest of my groups, and explicitly assigned the users to the JIRA groups. Applying your filter change means only the JIRA groups show up in JIRA, which is good enough for me.

Like
Reply
0 votes
Septa Cahyadiputra
Septa Cahyadiputra
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 17, 2013

Hi David,

In order to get the nested group working fine, the groups search filter configured on your end need to be able to search the nested group as well. Hence please ensure that the configured Base DN and search filter is able to retrieve your nested group.

Hope it helps.

Cheers,
Septa Cahyadiputra

View More Comments
David Keaveny
David Keaveny April 22, 2013

So if my AD setup is something like this:

Base
--Users
--Groups
---External Testers
---Internal Testers
---Contractors
---Devs
---Admins
---Users
--JIRA
---JIRA_Testers
---JIRA_Devs
---JIRA_Admins
---JIRA_Users

and I set my Base DN to Base, my User DN to Users and my Group DN to JIRA, I get my current situation. If I make the groups External Testers and Internal Testers to members of JIRA_Testers, then currently no-one who is in those groups will actually be displayed as such.

In short, I don't want the groups in Base/Groups to appear in JIRA, but I want those groups to be assigned to JIRA-specific groups. Is this at all possible, and if so, what changes do I need to make to my DN queries?

Like
Mattias Larsson
Mattias Larsson August 7, 2018

I realize I'm more than five years late, but maybe this can help someone else to understand the limitations in play here. I was in the exact same situation.

I had the group Employees (OU=Security Groups) belonging to the group Jira Users (OU=Jira,OU=Security Groups). However, I only wanted group in OU Jira to be displayed in Jira. Unfortunately I had to back down and explicitly add users to the group Jira Users.

Nested groups only work, if the parent group(s) of a nested group are also available/displayed in Confluence.

https://community.atlassian.com/t5/Answers-Developer-Questions/Getting-Users-from-Nested-Groups-in-AD/qaq-p/470840

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events