Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

LDAP integration via Active Directory

Daniel Fernande6
Daniel Fernandez November 24, 2013

Hi!

We have an Active Directory where we have a lot of users but seperated in different countries like SE, FR, IT, ES, AR.

The AD look like this.

domain.net
AR
Users
ES
Users
SE
Users


and so on.

The groups created for the use of confluence have we placed in the in AD.

domain.net
Common
Groups
AR-Read
AR-Write
ES-Read
ES-Write
SE-Read
SE-Write


And in each Group we have the right members.


So, my question is if it is possilbe to make ONE LDAP to Microsoft Active Directory.
I have set up several LDAPs under User directories which fetches information every 60 minutes.
Do a really need to import the users into confluence, which the LDAPs do.

Can someone explain this to me really simple :)

Thank you very much in advance.

Answer
Watch
Like Be the first to like this
1672 views

4 answers

0 votes
vijayalakshmi
vijayalakshmi February 18, 2016

Hi Alex/Danial,

I am trying to ontegrate HipChat server with LDAP but I ma facing some issue mentioned below:

-          Hipchat is detecting the group and its members only when the account used is a member of any group and other members belong to same OU we have pointed to

Ex: Hipchat detecting a group named “Hipchat” but only retrieving 2 members instead of actual 5 because other 3 out of 5 belong to a different OU.

We would like to achieve the below

-          Hipchat must detect group and also its members belonging to other OU’s

Ex: Consider 3 OU’s BLR,CHN and SHN and we pointed to only SHN OU in hipchat directory. So SHN consists a group named ‘XYZ,XYZ is having members from BLR and CHN as well.

HIPCHAT must detect/sync members from BLR and CHN as well if he is member of XYZ group placed in SHN.

is the above mentioned possible?

 

Regards,

Vijayalakshmi

Reply
0 votes
Alex Perez
Alex Perez
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 25, 2013

First, ensure that the tree in your AD is:

domain.net/

\=> OU=Users

        \=> OU=SE ...

        \=> OU=AR ...

        \=> OU=ES ...

If so , you can simplify Additional User DN to OU=Users, as long as all your users are defined under this node.

If you want to limit login of users to members of any of the groups (AR-Read, AR-Write ... etc), you can use the user Object Filter set to:

(&(&(objectCategory=Person)(sAMAccountName=*))(&(|(memberOf=XXX)(memberOf=YYYY))))

Reply
0 votes
Daniel Fernande6
Daniel Fernandez November 25, 2013

Hi Alex!

Thank you for your reply.

Yes, I've set up confluence with several user directories but only want to use one.
I have several OU's int the AD

OU=Users, OU=SE
OU=Users, OU=AR
OU=Users, OU=FR

and so on.

We have also created a several groups in:

OU=Confluence,OU=Groups,OU=Common

All the groups are in there and imported into Confluence when running/syncronizing the LDAP.

If I understand you correctly Alex, it is possible to do some sort of filter on the userside if they belong i any of the groups.

Is it also possible import/add only groups belongning in an OU ?

Here is what my LDAP setup looks like.
-----------------------------------------------------------------------------------------

Name: Confluence LDAP integation
Directory Type: Microsoft Active Directory
Hostname: dc01.domain.net
Port: 389 no SSL
Username: admin@domain.net
Password: ********
Copy User on Logon: YES
Default Group Memmbership: confluence_users not from the AD
Synchronize Group Memberships: YES

Base DN: DC=domain,DC=net
User Name Attribute: sAMAccountName

Skipping Advanced Settings

Additional User DN: blank
User Object Class: user
user Object Filter: (&(objectCategory=Person)(sAMAccountName=*))
User Name RDN Attribute: cn
User First Name Attribute: givenName
User Last Name Attribute: sn
User Display Name Attribute: displayName
User Email Attribute: mail

Addional Group: OU=Confluence,OU=Groups,OU=Common
Group Object Class: group
Group Object Filter: (objectCategory=Group)
Group Name Attribute: cn
Group Description Attribute: description


Group Members Attribute: member
User Membership Attribute: memberOf
Use the User Membership Attribute: No, when finding the user's group memebership


How can I best change this to make it work fully with the AD. Perhaps, do I need to make some
changes to the AD.

Thank you in advance.




Reply
0 votes
Alex Perez
Alex Perez
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 25, 2013

Hi Daniel,

As far as I understand, you have configured confluence with several "user directories", but in fact they all are the same ldap server with different configurations, one for each country (thus a different branch in the ldap tree) and different groups.

Use only one MS-AD user directory, connecting to domain.net/

and filtering for users belonging to (AR-Read) OR (SE-Read) OR (ES-Read) .... in the userObjectFilter option ...

The only tricky part is the ldap and/or syntax

Reply

Suggest an answer

Log in or Sign up to answer
Product apps
Apps & Integrations
TAGS
AUG Leaders

Atlassian Community Events

    See all events