Heads up! On March 5, starting at 4:30 PM Central Time, our community will be undergoing scheduled maintenance for a few hours. During this time, you will find the site temporarily inaccessible. Thanks for your patience. Read more.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

LDAP sync - Changing user location within AD vs local groups

Primoz
Primoz
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 6, 2023

Looking for some input on syncing Jira v.7.6.2 / Confluence 7.8.0 with AD.

At implementation stage "someone" configured LDAP user directory to retrieve users and groups only from cn=users,dc=domain,dc=local.

I tried adding a new connection to second DC with additional user and group DNs specified. As directories are checked in order, if the user or group would not be found in the first directory, since it was moved, it would be found in the second (same domain). 

The problem is, all Jira/Confluence users are members of some local Jira groups. As the user is moved from one OU to another, these local group memberships are lost. Even if the user is moved back to the original OU.

Is there a way to preserve local (and AD) group memberships as the user is moved from one OU to another? 

I did not have the courage to edit the original user directory settings (remove "cn=users"), just in case that it would mess up these local memberships too. 

Any advice/help/info would be great! 

Answer
Watch
Like Be the first to like this
565 views

1 answer

0 votes
Dam
Dam
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
June 6, 2023

Hi @Primoz 

You can simply manage your group is your new AD and import groups and membership with users... 

Here is the doc for connecting Jira to an LDAP directory: 
https://confluence.atlassian.com/adminjiraserver/connecting-to-an-ldap-directory-938847052.html

Nested groups are also supported. You will have to update your config to synch groups as the doc is explaining... https://confluence.atlassian.com/adminjiraserver/connecting-to-an-ldap-directory-938847052.html#ConnectingtoanLDAPdirectory-Groupschemasettings

I hope this help. 

Dam.

View More Comments
Primoz
Primoz
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 7, 2023

Hi Dam, thank you for your input! 

I get the LDAP users and groups OK, but most LDAP users are also members of local Jira groups. This membership gets lost if I use another directory (same AD, different AD server).

Due to this reason I have been afraid to modify the settings of the currently used directory, as there are quite a lot of users currently. 

I did, however, find the 2.nd option in the first link interesting:

"I don't believe local groups are supported in Crowd for a delegated directory - but if for some reason you are using Local Groups on a directory you're getting rid of, there are extra steps involved (run an SQL query to get any user,group membership values from the cwd_membership table, then use this as the input for a CSV import file - as you're not importing any users, but a users file is mandatory, just create a dummy file with the first line of "u,e,f,l,p" and map these to User, Email, First name, Last name, Password on the import)".

I added a test directory, added some users, moved stuff around within the AD and messed with its settings, but local group memberships remained. :) It is only when moving from one directory to another that these memberships get lost it seems.

I will get some support people on stand-by and go for it on the production entries. Wish me luck! :)

Primoz.

Like Dam likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events