Jira - Nested groups aren't working with AD users

Nick Shaw January 17, 2014

We have our AD server set to read only w/ local groups. Our local directory is set up to support nested groups, and when we add users from the local directory to the sub-group, they're added to the parent groups as normal.

Unfortunately the users in our AD server don't get added to the same parent groups, they only get added to the group that you add them to.

For fun, even though our AD server isn't working our groups, we have it set to supprt nested groups as well, but that didn't change anything.

1 answer

1 accepted

2 votes
Answer accepted
Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 19, 2014

Hi Nick,

Do you have any user filter (User Object Filter) in place at your directory configuration in JIRA? In case you have, you may need to add the parameter 1.2.840.113556.1.4.1941 as in the example bellow:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=jira_users,OU=jira,OU=atlassian,DC=company,DC=local))

The explanation to this parameter is in this page, basically it allows recursive search in your LDAP.

I hope it helps.

Cheers

Nick Shaw January 19, 2014

I need one of these for every nested group, don't I?

We don't have any groups that are nested in the jira_users group, but we have a number of them that are interdependent based on the developers' departments.

Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 20, 2014

Hi Nick,

The parameter 1.2.840.113556.1.4.1941 needs to be declared after every memberOf attribute in your filter. Also, the filter above is just an example, you don't necessary need to have a group called jira_users.

Cheers

Nick Shaw January 26, 2014

Excellent. Looks like everything works. Although we chose to just switch to a read/write LDAP, this process did indeed work for us.

Thank you!

Suhas Patil April 25, 2016

Hello Nick,

How does the final configuration look like? 

Regards,

Suhas

Andrew Bilukha May 15, 2018

How could it be applied in our case, we are not filtering on group, we're filtering user accounts based on a property of them haing EmployeeID (that separates humans from non-human accounts), and the account not being disabled UserAccountControl:1.2.840.113556.1.4.803:=2.

(&(objectClass=user)(objectCategory=person)(employeeID=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Can this 1.2.840.113556.1.4.1941 parameter be applied in our case?



Suggest an answer

Log in or Sign up to answer