This server will be upgraded at 3pm Sydney time on December 3rd (December 2nd, 8pm PST) and will be down for up to 30 minutes.

Troubleshooting Dynamic Groups

Added by Andrew Droffner, last edited by Andrew Droffner on Jul 03, 2008  (view change)

Dynamic Groups use LDAP user attributes to define shadow groups. These shadow groups do not appear in the Administration Console. It is necessary to try LDAP searches to troubleshoot them.

Several LDAP server features affect how user attributes searches match. The Java JNDI API also limits search behavior. Consult your LDAP server documentation for specifics.

How User Attributes Match 

An LDAP user attribute is a name=value pair, where one name can point to zero or more values. Here are some  LDAP attribute behaviors to consider.

  • The name or value is case sensitive.
    • value is often case sensitive.
    • title:programmer is not the same as title:Programmer.
  • The name has more than one value.
    • In this case, the plugin only compares name to the value it must match.
    • The plugin ignores any other values.
    • ou:Marketing may match even though another ou=Employees exists for the same user.
  • The user DN pseudo-attributes are limited by the plugin.
    • The plugin requires the user DN name to be dn.
    • The plugin version 2 does a qualified LDAP search, (attribute:dn:=value).
    • The pseudo-attribute ou:People has the search (ou:dn:=People).

LDAP Searches for Troubleshooting

These LDAP searches demonstate how to troubleshoot Dynamic Groups. The examples use the OpenLDAP command ldapsearch.

The LDAP search needs to be the same as Confluence will use. Set the baseContext & baseUserNamespace to match the atlassian-user.xml file. Also, the search filter must logically and userSearchFilter to the Dynamic Group filter.

For the examples, use these atlassian-user.xml settings:

  • baseContext: dc=server,dc=com
  • baseUserNamespace: dc=server,dc=com
  • userSearchFilter: (objectClass=inetorgperson)

Example Searches

To find the group title:Programmer, all users whose title is Programmer, write this search.

  • ldapsearch -b dc=server,dc=com '(&(objectClass=inetorgperson) (title=Programmer))'

To find all users who have telephoneNumber group membership write this search.

  • ldapsearch -b dc=server,dc=com '(&(objectClass=inetorgperson) (telephoneNumber=*))'

To find all users in the organizational unit group ou:Marketing, write this user DN search. Notice the colons after the attribute term & the dn.

  • ldapsearch -b dc=server,dc=com '(&(objectClass=inetorgperson) (ou:dn:=Marketing))'
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.