Jira - Nested groups aren't working with AD users

We have our AD server set to read only w/ local groups. Our local directory is set up to support nested groups, and when we add users from the local directory to the sub-group, they're added to the parent groups as normal.

Unfortunately the users in our AD server don't get added to the same parent groups, they only get added to the group that you add them to.

For fun, even though our AD server isn't working our groups, we have it set to supprt nested groups as well, but that didn't change anything.

1 answer

1 accepted

Accepted Answer
2 votes

Hi Nick,

Do you have any user filter (User Object Filter) in place at your directory configuration in JIRA? In case you have, you may need to add the parameter 1.2.840.113556.1.4.1941 as in the example bellow:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=jira_users,OU=jira,OU=atlassian,DC=company,DC=local))

The explanation to this parameter is in this page, basically it allows recursive search in your LDAP.

I hope it helps.

Cheers

I need one of these for every nested group, don't I?

We don't have any groups that are nested in the jira_users group, but we have a number of them that are interdependent based on the developers' departments.

Hi Nick,

The parameter 1.2.840.113556.1.4.1941 needs to be declared after every memberOf attribute in your filter. Also, the filter above is just an example, you don't necessary need to have a group called jira_users.

Cheers

Excellent. Looks like everything works. Although we chose to just switch to a read/write LDAP, this process did indeed work for us.

Thank you!

Hello Nick,

How does the final configuration look like? 

Regards,

Suhas

How could it be applied in our case, we are not filtering on group, we're filtering user accounts based on a property of them haing EmployeeID (that separates humans from non-human accounts), and the account not being disabled UserAccountControl:1.2.840.113556.1.4.803:=2.

(&(objectClass=user)(objectCategory=person)(employeeID=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Can this 1.2.840.113556.1.4.1941 parameter be applied in our case?



Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Sep 18, 2018 in Jira

What modern development practices are at the heart of how your team delivers software?

Hey Community mates! Claire here from the Software Product Marketing team. We all know software development changes rapidly, and it's often tough to keep up. But from our research, we've found the h...

25,309 views 2 7
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you