Users from subgroups in AD are not shown when using a User Object Filter

Hello.

We are using a User Object Filter in the "User Schema Settings" to limit the Users.

Users in a group jira_users are found. If a user Michael is in a group team_a and team_a is a member in jira_users Michael is not shown in jira. If Michael is direct member in jira_users he is shown in jira.

When we look for Michael in "Users" all groups and nested group memberships are shown correctly.

We need the ability to use nested groups in the filter.

(&(objectCategory=Person)(sAMAccountName=*)(memberOf=CN=jira_users,OU=jira,OU=atlassian,OU=xDelegation,DC=company,DC=local))

Limiting the Users by using "Additional User DN" does not limit the Users.

Is this a decision by design or an error?

4 answers

1 accepted

4 votes

Hey Christian,

We created an Improvement Request for this particularly problem. You can see it here:

My suggestion is to vote on this request and add yourself as a watcher to receive future updates regarding this case. You can add some comments there also, it will reach the developers directly.

Cheers,
Andre

Hi Christian,

I've run some tests locally and was able to confirm that JIRA doesn't pull in nested members of a group that is in the search filter. Basically it only searches for the attribute memberOf into the group that is declared in the search filter.

An alternative is include the nested groups into the User Object Filter as the following example:

(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=jira_users,OU=jira,OU=atlassian,OU=xDelegation,DC=company,DC=local)(memberOf=CN=team_a,OU=jira,OU=atlassian,OU=xDelegation,DC=company,DC=local)))

Cheers

Adding the nested groups is nice if you have a stable and limited number of groups.

If the creatiung of new groups is rife in your organisation then this is no solution. You would'nt want to fix your LDAP-Filter on a weekly basis; this would be an administrative nightmare...

1 votes

Hello guys,

 

In case anyone is still facing this issue:

What happens is that Confluence does not retrieve the subtrees of the user filter you set. So, basically Confluence is only looking for the users that are "memberOf" confluence-users, and not the ones that are memberOf subtrees within the confluence-users group.
However, Microsoft Active Directory (AD) has a specific string that you can add to your filter so that it will look the subtrees as well. For example:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=confluence-users,CN=Users,DC=example,DC=com))

Please, refer to this official Microsoft documentation in case of any questions.

 

I hope it helps smile

Best regards,

Eduardo Mallmann

Thanks a lot!! This was what I was looking for since hours!

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

2,774 views 11 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot