Jira - Nested groups aren't working with AD users

We have our AD server set to read only w/ local groups. Our local directory is set up to support nested groups, and when we add users from the local directory to the sub-group, they're added to the parent groups as normal.

Unfortunately the users in our AD server don't get added to the same parent groups, they only get added to the group that you add them to.

For fun, even though our AD server isn't working our groups, we have it set to supprt nested groups as well, but that didn't change anything.

1 answer

1 accepted

This widget could not be displayed.

Hi Nick,

Do you have any user filter (User Object Filter) in place at your directory configuration in JIRA? In case you have, you may need to add the parameter 1.2.840.113556.1.4.1941 as in the example bellow:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=jira_users,OU=jira,OU=atlassian,DC=company,DC=local))

The explanation to this parameter is in this page, basically it allows recursive search in your LDAP.

I hope it helps.

Cheers

I need one of these for every nested group, don't I?

We don't have any groups that are nested in the jira_users group, but we have a number of them that are interdependent based on the developers' departments.

Hi Nick,

The parameter 1.2.840.113556.1.4.1941 needs to be declared after every memberOf attribute in your filter. Also, the filter above is just an example, you don't necessary need to have a group called jira_users.

Cheers

Excellent. Looks like everything works. Although we chose to just switch to a read/write LDAP, this process did indeed work for us.

Thank you!

Hello Nick,

How does the final configuration look like? 

Regards,

Suhas

How could it be applied in our case, we are not filtering on group, we're filtering user accounts based on a property of them haing EmployeeID (that separates humans from non-human accounts), and the account not being disabled UserAccountControl:1.2.840.113556.1.4.803:=2.

(&(objectClass=user)(objectCategory=person)(employeeID=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Can this 1.2.840.113556.1.4.1941 parameter be applied in our case?



Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted Wednesday in New to Jira

Are you planning to trial, or are currently trialling Jira Software? - We want to talk to you!

Hello! I'm Rayen, a product manager at Atlassian. My team and I are working hard to improve the trial experience for Jira Software Cloud. We are interested in   talking to 20 people planning t...

173 views 2 0
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you