Internal directory nested group memberships not applied to LDAP users?

Are nested group memberships maintained for groups in a local directory not applied to users from an LDAP (AD) directory?

We would like to apply nested group memberships in local groups for users coming from an LDAP directory (setup as Read Only, with Local Groups). It seems that group memberships work for local users but not for remote directory users. (JIRA 6.2.x)

4 answers

Hi @Tiago Comasseto, I guess it is not about nesting LDAP groups into internal groups

I have described use case here Why nesting of internal groups does not work for AD users?

Nesting does not work for a user, who is from LDAP. Let us consider that   a user A is a member of some internal group G1, and this internal group is nested in another internal group G. If user A is from internal directory, he is  a member of G1 and G, but if he is from LDAP directory, he is a member of ONLY G1.


This situation is only for JIRA. If JIRA is used as a directory provider for Confluence, you may find that A is a member of both  G1 and G in Confluence, whether A is originally from LDAP or from JIRA internal




It means, nesting really cannot work in JIRA, if one uses a  LDAP directory along with internal groups, and it looks as a JRA bug.


Hi Anggelos, we currently don't support nested membership between internal and external groups. We have this improvement request opened to implement this functionality in a future release, you may want to add yourself as watcher to receive updated.


Hi Tiago,

I'm aware and already watching the improvement you mention, but what I was looking for is adding AD/LDAP users as members of local directory groups which are structured as nested groups. This is supported by JIRA but there is a catch. All the nesting should be performed by an administrator user which belongs to the external directory (AD/LDAP) and not a local administrator, for nesting to work correctly.

We discussed this with support and hopefully they are going to write a KB article to explain this constraint. You can follow the details in JSP-194321 if you can get access.

I still believe that this is a bug, but guys from support argue that is works as designed. Maybe the design is a bit flawed after all.


This is due to bug

The following workaround helped me.

1. Remove all existing group nesting in JIRA. If it does not work, disable nesting in (one of) your external directory and try to remove nesting again*.

2. Enable group nesting for all directories.

3. Group nesting shall work as expected

 *If you unable to do 1, just perform the ultimate hack

1. Run over JIRA database

delete from cwd_membership where membership_type='GROUP_GROUP';

Then you may need to restart JIRA

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Jan 08, 2019 in Jira

How to Jira for designers

I’m a designer on the Jira team. For a long time, I’ve fielded questions from other designers about how they should be using Jira Software with their design team. I’ve also heard feedback from other ...

1,294 views 5 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you