Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Read-only LDAP groups with local groups

We have an instance of Jira Server that is configured to use our LDAP server (ORM LDAP Server) for authentication as shown below: 


In addition to this, the Jira instance is also used to provide authentication for a Confluence instance.

 This works perfectly well, but there's a behaviour that we would like to change.  As configured, our LDAP group information is copied to the Jira instance and allows us to add users to both the locally created groups and to those groups that are copied from the LDAP server.  The information copied to the groups supplied via LDAP is not synchronised with the group information in the LDAP repository.   Having the ability to augment the group structure with new, local groups is a requirement, but we don't want to allow those groups that are synchronized from the LDAP server to be modified locally.  We would prefer that the groups supplied via LDAP are managed only via the LDAP server and not via the Jira UI.

 Is there a way that this could be implemented?

1 answer

Hello @Don Carlos Abrams ,

If I understood correctly, you no longer want to be able to add LDAP users to local Jira groups, if this is the case you have to change the LDAP permission to "Read only" (currently it's set to "Read only, with local groups").


For further details please have a look at : Connecting to an LDAP directory

Kind regards.

No.  We don't want to be able to modify the LDAP-supplied groups via Jira.  We still need to be able to add LDAP users to the local Jira groups.

Hello @Don Carlos Abrams ,

With the permission parameter set up to "Read only, with local groups", you are not updating the LDAP server when you add a local user to an LDAP group. Indeed Jira create a "copy" of all the LDAP groups. So in reality you're not managing or modifying the LDAP group, you're only managing this "copies" from the UI.

Kind regards.

Thanks, but you can still modify the copy of the LDAP-supplied group and that's what we want to prevent.

So, is this possible or not?

Hello @Don Carlos Abrams ,

Unfortunatly, I think it is not.

Sorry for the late response.

Kind regards.

Suggest an answer

Log in or Sign up to answer

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you