mapping groups in MS AD via LDAP with Jira/Confluence

Let's say i have 3 roles in Jira:




AND in AD domain groups:


-Jira admins


When I give a new user a certain role like jira_develop in AD, this user should be synchronised with the correct group in Jira local group (jira-developers)

Is this possible when I set an LDAP connection for each group or can I just set  LDAP connection and use filters to get the right users from AD to right local groups in Jira?

How can this be done?


1 answer

0 votes

I'm a bit confused but as long as you make your AD groups members of your project roles, once you add members to the AD groups (and after a sync) those users will have access to those projects according to the permission scheme. Hopefully your permission scheme uses these roles.

Additionally, you shouldn't need multiple directory connections. You can write one filter to pull in these groups and the group members all at once.

Group filter: (&(objectCategory=Group)(|(sAMAccountName=jira_user)(sAMAccountName=jira_develop)(sAMAccountName=jira_admins))

User filter: (&(objectClass=person)(|(memberOf=CN=jira_user,OU=blah,OU=domain,OU=com)(memberOf=CN=jira_develop,OU=blah,OU=domain,OU=com)(memberOf=CN=jira_admin,OU=blah,OU=domain,OU=com)))


Josh Steckle

thx for your answer, i will try this! But what do you mean by 

"Hopefully your permission scheme uses these roles." :-)

The role names in Jira are different then the role names(groups) in AD, so where in the config above do you refer to the Jira local groups?



Hi Josh,

in this case, what will be then the Base DN? And should OU=domain,OU=com not be DC=domain,DC=com?

And Additional User/Group DN stays empty with just LDAP Read permissions !


      OU=LAS Vegas



                                (group) =  jira-user (role nested = jira-default)

                                 (group) =  jira_admins (role nested = jira-administrators))

                                 (group) =  jira_develop (role nested = jira-programmers)

And i am using nested groups!




Your base DN could be as simple as "DC=domain,DC=com" - depending on where your user account OU is. This is what I use on mine due to the nature of our AD structure.

One thing to consider is to create a "master" group that contains all relevant groups to be used within JIRA.

Lets say underneath the OU=confluence, you create a new group "jira_groups" and you add jira_user, jira_admins and jira_develop as nested members. In that situation, you could use these filters. I assume when you said you use nested groups, it means that you have other groups nested within jira_user, etc.

User filter: (&(objectClass=person)(memberof:1.2.840.113556.1.4.1941:=CN=jira_groups,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com))

Group filter: (&(objectCategory=Group)(|(sAMAccountName=jira_groups)(memberof:1.2.840.113556.1.4.1941:=CN=jira_groups,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)))

This uses a function of AD specific query syntax known as LDAP_MATCHING_RULE_IN_CHAIN, basically it picks up all levels of nesting below the specified object. See these two links for more:



An additional reason I suggest using a "master" group is due to JRASERVER-36979

The maximum length of an ldap group/user filter is 255 characters. So if you wanted to pull in all nested groups by naming jira_users, jira_admins and jira_develop individually, the filter would look like the following, but that would be 344 characters and therefore impossible.

(&(objectClass=person)(|(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)(memberof:1.2.840.113556.1.4.1941:=CN=jira_admins,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)(memberof:1.2.840.113556.1.4.1941:=CN=jira_develop,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)))

Thx Josh,

i see! But if I set 3 user directories (LDAP AD) to the same server with different Sync intervals, just to map the users of the 3 groups from AD to Local groups in Jira, would this work?

The meaning of al this, is that I just want to pull the users of a specific group in AD en put them in the right local group of Jira, the groups already exist at the both sites.


Josh Steckler Community Champion Nov 17, 2017

I personally wouldn't want the performance overhead of three syncs. It might work, but things like users in multiple groups might come up and cause issues.


The meaning of al this, is that I just want to pull the users of a specific group in AD en put them in the right local group of Jira, the groups already exist at the both sites.

So that I can just manage users in AD and not necessary in Jira it self.


thx again Josh :-)


in the User Schema Settings, what would be then the User Name Attribute?? sAMAccountName???




sAMAccountName is often used. You could also use userPrincipalName or even mail if you want.

Josh Steckler Community Champion Nov 20, 2017

I use samaccountname -- use whichever one is more prevalent in your organization if this is a new instance of JIRA.

thx for your reply!

But still have a problem with nested groups, i've tried with just 1 group

 (&(objectClass=person)(|(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)

and it seems that Jira don't find the netsted group!

I choose the option "Rea Only with local groups" to put the users from the AD group in the local group "confluence-users",

but it doesn't work! :-(

Somebody other option?



Josh Steckler Community Champion Nov 21, 2017

If you pasted your filter exactly, there's a syntax error:

 (&(objectClass=person)(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com))


the caracters in bold are not case-sensitive i hope?

 (&(objectClass=person)(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com))




Josh Steckler Community Champion Nov 21, 2017

It should not be case sensitive, but strictly speaking, memberOf is properly capitalized as bold here.

thx Josh, i hope that will solve the problem ;-)



doesn't work, he just copies the AD group(not the group that is nested) to Jira with no users! :-(



Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,713 views 17 21
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you