Internal directory nested group memberships not applied to LDAP users?

Are nested group memberships maintained for groups in a local directory not applied to users from an LDAP (AD) directory?

We would like to apply nested group memberships in local groups for users coming from an LDAP directory (setup as Read Only, with Local Groups). It seems that group memberships work for local users but not for remote directory users. (JIRA 6.2.x)

4 answers

Hi @Tiago Comasseto, I guess it is not about nesting LDAP groups into internal groups

I have described use case here Why nesting of internal groups does not work for AD users?

Nesting does not work for a user, who is from LDAP. Let us consider that   a user A is a member of some internal group G1, and this internal group is nested in another internal group G. If user A is from internal directory, he is  a member of G1 and G, but if he is from LDAP directory, he is a member of ONLY G1.

 

This situation is only for JIRA. If JIRA is used as a directory provider for Confluence, you may find that A is a member of both  G1 and G in Confluence, whether A is originally from LDAP or from JIRA internal

 

 

 

It means, nesting really cannot work in JIRA, if one uses a  LDAP directory along with internal groups, and it looks as a JRA bug.

  

Hi Anggelos, we currently don't support nested membership between internal and external groups. We have this improvement request opened to implement this functionality in a future release, you may want to add yourself as watcher to receive updated.

Cheers

Hi Tiago,

I'm aware and already watching the improvement you mention, but what I was looking for is adding AD/LDAP users as members of local directory groups which are structured as nested groups. This is supported by JIRA but there is a catch. All the nesting should be performed by an administrator user which belongs to the external directory (AD/LDAP) and not a local administrator, for nesting to work correctly.

We discussed this with support and hopefully they are going to write a KB article to explain this constraint. You can follow the details in JSP-194321 if you can get access.

I still believe that this is a bug, but guys from support argue that is works as designed. Maybe the design is a bit flawed after all.

Cheers

This is due to bug https://jira.atlassian.com/browse/JRA-24671

The following workaround helped me.

1. Remove all existing group nesting in JIRA. If it does not work, disable nesting in (one of) your external directory and try to remove nesting again*.

2. Enable group nesting for all directories.

3. Group nesting shall work as expected


 *If you unable to do 1, just perform the ultimate hack

1. Run over JIRA database

delete from cwd_membership where membership_type='GROUP_GROUP';
commit;

Then you may need to restart JIRA

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Sep 18, 2018 in Jira

What modern development practices are at the heart of how your team delivers software?

Hey Community mates! Claire here from the Software Product Marketing team. We all know software development changes rapidly, and it's often tough to keep up. But from our research, we've found the h...

24,345 views 2 7
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you