We have a system with 500+ users using the Confluence Internal Directory. After adding a Delegated LDAP authentication directory method we find that users are still authenticated against the internal directory. This occurs regardless of the position of the directories in the list.
Please advise on how to force existing users to be LDAP authenticated.
I was able to successfully migrate from Internal Directory to Delegated LDAP with the following procedure. This may very well work for moving users between other directory methods but I was only interested in this case.
update cwd_user set directory_id = (select id from cwd_directory where directory_name = 'Delegated LDAP Authentication') ,credential=NULL where directory_id = (select id from cwd_directory where directory_name = 'Confluence Internal Directory') and not user_name like '%admin%' and not user_name like '%remote%' and not user_name like '%test%';This sql omits conversion of usernames containing 'admin', 'remote', or 'test'. It is important that at least one username still reside in the internal directory so you can still log in after this step. You can see the names of the directory_name options with this sql:
select id,directory_name from cwd_directory;
SELECT cu.lower_user_name, cg.lower_group_name FROM cwd_user cu JOIN cwd_membership cm ON cu.id=cm.child_user_id JOIN cwd_group cg ON cm.parent_id=cg.id WHERE cu.directory_id= (select id from cwd_directory where directory_name = 'Confluence Internal Directory') AND cg.directory_id= (select id from cwd_directory where directory_name = 'Confluence Internal Directory') INTO OUTFILE '/tmp/groups.csv' FIELDS TERMINATED BY ',' ENCLOSED BY '' LINES TERMINATED BY '\n';Note that you do not need to install the CLI plugin in confluence but you do need to unzip it to access the confluence.sh script.
The above worked for me. Hopefully it can help someone else. Step 4 seems to be what is missing from the documentation anywere. Someone from Atlassian suggested this approach with 'no guarantees'.
Hi Glenn, by right if the delegated LDAP is on top, you should be able to login against LDAPO directory. There's some possibility that the user is inactive. Please try to run the following query.
SELECT * FROM cwd_user WHERE user_name = '<username>'
Please do change <username> to relevant user name, and check active field whethe rit's set to T or F.
Evidently the problem is that the users already exist in the internal directory from the N years before we attempted to enable Delegated LDAP. From what I'm learning, this means that only new users will be LDAP authenticated but all existing users will be internal directory authenticated. Not exactly what you'd expect by putting LDAP at the top of the list.
As a Belgian, beer-lover and home brewer, beer is one of my great passions. I love the fact that with just a few ingredients (usually just water, hop and malt) you can create so many different tastes...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot