Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Internal directory nested group memberships not applied to LDAP users?

angel
angel May 29, 2014

Are nested group memberships maintained for groups in a local directory not applied to users from an LDAP (AD) directory?

We would like to apply nested group memberships in local groups for users coming from an LDAP directory (setup as Read Only, with Local Groups). It seems that group memberships work for local users but not for remote directory users. (JIRA 6.2.x)

Answer
Watch
Like Be the first to like this
1459 views

4 answers

1 vote
Gregory Kneller
Gregory Kneller
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 21, 2014

Hi @Tiago Comasseto, I guess it is not about nesting LDAP groups into internal groups

I have described use case here Why nesting of internal groups does not work for AD users?

Nesting does not work for a user, who is from LDAP. Let us consider that   a user A is a member of some internal group G1, and this internal group is nested in another internal group G. If user A is from internal directory, he is  a member of G1 and G, but if he is from LDAP directory, he is a member of ONLY G1.

 

This situation is only for JIRA. If JIRA is used as a directory provider for Confluence, you may find that A is a member of both  G1 and G in Confluence, whether A is originally from LDAP or from JIRA internal

 

 

 

It means, nesting really cannot work in JIRA, if one uses a  LDAP directory along with internal groups, and it looks as a JRA bug.

  

Reply
0 votes
Gregory Kneller
Gregory Kneller
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 30, 2014

This is due to bug https://jira.atlassian.com/browse/JRA-24671

The following workaround helped me.

1. Remove all existing group nesting in JIRA. If it does not work, disable nesting in (one of) your external directory and try to remove nesting again*.

2. Enable group nesting for all directories.

3. Group nesting shall work as expected

 *If you unable to do 1, just perform the ultimate hack

1. Run over JIRA database

delete from cwd_membership where membership_type='GROUP_GROUP';
commit;

Then you may need to restart JIRA

Reply
0 votes
angel
angel June 25, 2014

Hi Tiago,

I'm aware and already watching the improvement you mention, but what I was looking for is adding AD/LDAP users as members of local directory groups which are structured as nested groups. This is supported by JIRA but there is a catch. All the nesting should be performed by an administrator user which belongs to the external directory (AD/LDAP) and not a local administrator, for nesting to work correctly.

We discussed this with support and hopefully they are going to write a KB article to explain this constraint. You can follow the details in JSP-194321 if you can get access.

I still believe that this is a bug, but guys from support argue that is works as designed. Maybe the design is a bit flawed after all.

Cheers

Reply
0 votes
Tiago Comasseto
Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 22, 2014

Hi Anggelos, we currently don't support nested membership between internal and external groups. We have this improvement request opened to implement this functionality in a future release, you may want to add yourself as watcher to receive updated.

Cheers

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events