Hi!
We have an Active Directory where we have a lot of users but seperated in different countries like SE, FR, IT, ES, AR.
The AD look like this.
domain.net
AR
Users
ES
Users
SE
Users
and so on.
The groups created for the use of confluence have we placed in the in AD.
domain.net
Common
Groups
AR-Read
AR-Write
ES-Read
ES-Write
SE-Read
SE-Write
And in each Group we have the right members.
So, my question is if it is possilbe to make ONE LDAP to Microsoft Active Directory.
I have set up several LDAPs under User directories which fetches information every 60 minutes.
Do a really need to import the users into confluence, which the LDAPs do.
Can someone explain this to me really simple :)
Thank you very much in advance.
Hi Alex/Danial,
I am trying to ontegrate HipChat server with LDAP but I ma facing some issue mentioned below:
- Hipchat is detecting the group and its members only when the account used is a member of any group and other members belong to same OU we have pointed to
Ex: Hipchat detecting a group named “Hipchat” but only retrieving 2 members instead of actual 5 because other 3 out of 5 belong to a different OU.
We would like to achieve the below
- Hipchat must detect group and also its members belonging to other OU’s
Ex: Consider 3 OU’s BLR,CHN and SHN and we pointed to only SHN OU in hipchat directory. So SHN consists a group named ‘XYZ,XYZ is having members from BLR and CHN as well.
HIPCHAT must detect/sync members from BLR and CHN as well if he is member of XYZ group placed in SHN.
is the above mentioned possible?
Regards,
Vijayalakshmi
First, ensure that the tree in your AD is:
domain.net/ \=> OU=Users \=> OU=SE ... \=> OU=AR ... \=> OU=ES ...
If so , you can simplify Additional User DN to OU=Users, as long as all your users are defined under this node.
If you want to limit login of users to members of any of the groups (AR-Read, AR-Write ... etc), you can use the user Object Filter set to:
(&(&(objectCategory=Person)(sAMAccountName=*))(&(|(memberOf=XXX)(memberOf=YYYY))))
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alex!
Thank you for your reply.
Yes, I've set up confluence with several user directories but only want to use one.
I have several OU's int the AD
OU=Users, OU=SE
OU=Users, OU=AR
OU=Users, OU=FR
and so on.
We have also created a several groups in:
OU=Confluence,OU=Groups,OU=Common
All the groups are in there and imported into Confluence when running/syncronizing the LDAP.
If I understand you correctly Alex, it is possible to do some sort of filter on the userside if they belong i any of the groups.
Is it also possible import/add only groups belongning in an OU ?
Here is what my LDAP setup looks like.
-----------------------------------------------------------------------------------------
Name: Confluence LDAP integation
Directory Type: Microsoft Active Directory
Hostname: dc01.domain.net
Port: 389 no SSL
Username: admin@domain.net
Password: ********
Copy User on Logon: YES
Default Group Memmbership: confluence_users not from the AD
Synchronize Group Memberships: YES
Base DN: DC=domain,DC=net
User Name Attribute: sAMAccountName
Skipping Advanced Settings
Additional User DN: blank
User Object Class: user
user Object Filter: (&(objectCategory=Person)(sAMAccountName=*))
User Name RDN Attribute: cn
User First Name Attribute: givenName
User Last Name Attribute: sn
User Display Name Attribute: displayName
User Email Attribute: mail
Addional Group: OU=Confluence,OU=Groups,OU=Common
Group Object Class: group
Group Object Filter: (objectCategory=Group)
Group Name Attribute: cn
Group Description Attribute: description
Group Members Attribute: member
User Membership Attribute: memberOf
Use the User Membership Attribute: No, when finding the user's group memebership
How can I best change this to make it work fully with the AD. Perhaps, do I need to make some
changes to the AD.
Thank you in advance.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Daniel,
As far as I understand, you have configured confluence with several "user directories", but in fact they all are the same ldap server with different configurations, one for each country (thus a different branch in the ldap tree) and different groups.
Use only one MS-AD user directory, connecting to domain.net/
and filtering for users belonging to (AR-Read) OR (SE-Read) OR (ES-Read) .... in the userObjectFilter option ...
The only tricky part is the ldap and/or syntax
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.