Skip to end of metadata
Comment: Corrected links that should have been relative instead of absolute.
Go to start of metadata
This documentation is out of date

Please refer to the latest documentation on Understanding User Management in Confluence and Connecting to an LDAP Directory.

Instructions here relate to use of the command line 'ldapsearch' utility to check that mappings between Atlassian User and your LDAP system are correct.

Mappings between LDAP and Atlassian User.

Here is an explanation of each property in the atlassian-user.xml file.

Property Key

Example Value

Description

Link

baseUserNamespace

ou=users

This namespace should identify your DIT's (Directory Information Tree) base context holding user accounts. This is absolute, not relative to baseContext.

see below

baseGroupNamespace

ou=groups

This namespace should identify your DIT's base context holding groups. This is absolute, not relative to baseContext.

see below

userSearchAllDepths

false

true to search all subtrees beneath baseUserNamespace, false to search one level beneath it only

see below

groupSearchAllDepths

false

true to search all subtrees beneath baseGroupNamespace, false to search one level beneath it only

see below

usernameAttribute

uid

This attribute should identify the RDN (Relative Distinguished Name) of the user entry

see below

groupnameAttribute

gid

This attribute should identify the RDN of the group entry

see below

firstnameAttribute

givenname

This attribute should identify the first name of the user

see below

surnameAttribute

sn

This attribute should identify the surname of the user

see below

emailAttribute

mail

This attribute should identify the email address of the user

see below

membershipAttribute

atlassianGroupMemberOf

This attribute should identify which groups the user belongs to.

see below

userSearchFilter

(objectClass=inetorgperson)

This property represents an additional search filter ANDed to each query for a user (see RFC 2254)

see below

groupSearchFilter

(objectClass=group)

This property represents an additional search filter ANDed to each query for a group (ibid)

see below

Also read below to learn how to specify a group adaptor, LDAP user and group factories, and a LDAP user searcher.

Converting Special Characters

There are 5 special characters that you must escape when saving search filters to the atlassian-user.xml file.

LDAP Character

XML Equivalent

Description

<

&lt;

less than

>

&gt;

greater than

&

&amp;

ampersand

'

&apos;

apostrophe

"

&quot;

quotation mark

User Mappings

1. Identifying the baseUserNamespace and the userSearchAllDepths mappings

The baseUserNamespace indicates the top level of a tree in your LDAP system which holds your users. The userSearchAllDepths property can either be set to true or false. True indicates that only the level directly beneath the baseUserNamespace should be searched, false indicates that all additional sub-levels of the tree should be searched.

For example, if you wanted to include users beneath 'cn=contractors,cn=employees,cn=acme,cn=org' and users beneath 'cn=permanent,cn=employees,cn=acme,cn=org' in an Atlassian application you would specify a baseUserNamespace of 'cn=employees,cn=acme,cn=org' with a userSearchAllDepths value of 'true'. Otherwise, if all users are grouped in one level of your tree, set userSearchAllDepths to false.

Searching for all users with search depth scope of entire subtree

Would lead to the following values for baseUserNamespace , userSearchAllDepths, and usernameAttribute:

Searching for all users with search depth scope of one

Would lead to the following values for baseUserNamespace and userSearchAllDepths:

Here, also, the usernameAttribute property is identified as being 'cn'. The property mapping therefore becomes

2. Identifying the userSearchFilter

The userSearchFilter allows for an extra condition to be placed on search results. This is useful if a search on the baseUserNamespace is returning results which will not equate to User objects. Use it to specify a search criteria which will identify users.

Here, we specify userSearchFilter as '(objectClass=inetorgperson)'. That is, we are saying our users are identified by an objectClass of inetorgperson (given our search result above, we could have also used organizationalPerson or person). Please note that inetorgperson is an LDAP objectClass. It does not exist in Active Directory. You will need to specify a different class if using AD.

3. Identifying the firstnameAttribute, surnameAttribute, and emailAttribute

As with the identification of username property search above, similar mappings can be found for firstnameAttribute, surnameAttribute, and emailAttribute.

Group Related Mappings

4. Identifying the groupnameAttribute and the baseGroupNamespace mappings

The tactic here is similar identifying the baseUserNamespace and userSearchAllDepths attributes.

It is assumed that groups are entries in their own right within your LDAP system. If groups exist by virtue of being listed against user entries, or in some other way, please raise a support request to discuss an integration plan.

The baseGroupNamespace indicates the top level of a tree in your LDAP system which holds groups. As with userSearchAllDepths, setting groupSearchAllDepths to true instructs the search function to traverse all available subtrees beneath the baseGroupNamespace. Set it to false if all of your groups are contained in the level indicated by baseGroupNamespace.

Static vs Dynamic Groups

Dynamic group configuration is not supported as it is not currently tested. Please see USER-105 for related discussions.

Groups are generally one of two types in LDAP systems - static or dynamic. A static group maintains its own membership list. A dynamic group records its membership on a user entry.

Here is an example of a search on an OpenLDAP DIT (Data Information Tree), which stores static groups.

Example of a ldapsearch on baseGroupNamespace of static groups

The baseGroupNamespace is identified as being 'ou=groups,dc=atlassian,dc=private', the groupSearchAllDepths is 'false', and the groupnameAttribute as being 'cn':

Here is an example of a search on an Apache Directory Server DIT (Data Information Tree), which stores dynamic groups.

Example of a ldapsearch on baseGroupNamespace of dynamic groups

Here the baseGroupNamespace is 'ou=groups', groupNameAttribute is 'cn', and groupSearchFilter is false.

You will notice that for the baseGroupNamespace I drop the full path: <ou=groups,ou=system> . This is just for convenience with ApacheDS. Whereas OpenLDAP requires the baseGroupNamespace mapping to be the full DN of the node, ApacheDS uses the baseContext property specified in connection.properties to complete it.

5. Identifying the groupSearchFilter filter.

As with the userSearchFilter property, the groupSearchFilter allows you to specify an added search criteria to all search results. This is useful if your baseGroupNamespace holds data which cannot be modelled into a Group alongside data which can be.

Please see the discussion on userSearchFilter for an example of how to build this property.

The default value for this filter is (objectClass=groupOfNames). If you are using Active Directory, please change it to (objectClass=group) or select another objectClass that exists in your instance

Membership Mappings

6. Identifying a membership attribute

There are two requirements for membership mappings to work.

  1. The membership value must carry the DN of the user or group, for static and dynamic groups respectively.
  2. The search for membership is constructed by using the username or groupname, for static or dynamic groups, attribute and attribute value, along with the the baseContext. If these values do not match membership will not work.

The membershipAttribute property can be identified via the same search which identified the baseGroupNamespace . On a static group, an attribute will be present to identify a membership list.

For example, in the search result below, the membershipAttribute is 'member'.

Whereas, in the example for dynamic above, the membershipAttribute is not on the group but, instead, on the user:

Search result showing dynamic group membership

Labels:
None
Edit Labels

12 Comments

Hide/Show Comments

  1. Feb 08, 2006

    Amos Gouaux

    Is there any significant performance differences between static and dynamic groups?

    1. Feb 17, 2006

      Andrew Miller

      As far as Confluence is concerned, it should just be an LDAP query so performance would really be dependent on your LDAP directory (some directories are faster with static groups than dynamic groups).

  2. May 24, 2006

    YL

    Does this LDAP integration support nested group? I guess I need to set groupSearchAllDepths to true? If I have group AB nested under group A, will member in group AB be recognized as a member of group A?

    1. Aug 10, 2006

      David Soul [Atlassian]

      Sorry, nested groups are not supported, so group AB is not recognised as a member of A. You'll need to set groupSearchAllDepths to true.

  3. Feb 23, 2011

    Michael Redinger

    This document explains in detail the difference between static and dynamic groups.

    However, Connecting to an LDAP Directory says that static groups are needed.

    I found a JIRA issue which basically says that only static groups are suppported, but that dynamic groups should work somehow, too: http://jira.atlassian.com/browse/USER-105

    So: Do dynamic groups work, although there seems to be no documentation except this page? And if yes, could someone give a quick example on how to use them?

    1. Oct 22, 2007

      John Allen

      Yes dynamic groups work

  4. Aug 16, 2007

    David Peterson [CustomWare]

    Wow. This page is really hard to digest. In particular, it is really hard to understand how to get Confluence to use dynamic groups. Could the page be rearranged so that the static group instructions are together, and the dynamic group instructions are together. At the moment they are spread all over the place.

    Also, it is really unclear how to specify that it should be getting group membership from the user (aka dynamic groups), as opposed to the group. The only clue above is the 'membershipAttribute=atlassianGroupMemberOf' entry above, which doesn't seem to relate to the example above it at all. What is this mysterious 'atlassianGroupMemberOf'? Is it a special attribute name which tells Atlassian User that it should use the user's 'memberOf' attribute to determine group membership? Or something else?

  5. Nov 16, 2007

    senthilraja

    Hi,

     We have a requirement, where we have multiples of DL groups nested in multiple order.

    When we assign group permissions to a space, we require that even if the users belong to one of the sub-level groups, should be authenticated.

    Will groupSearchAllDepths solve the problem?

  6. Feb 08, 2008

    John Allen

    Are there any plans for adding support for pulling XMPP ids out of LDAP? Bamboo would obviouslybenefit

  7. Mar 28, 2008

    Nick Campbell

    I have a couple of questions.

    The first is, does this support multiple group types in the same system? If so, how do we specify in the xml that groups can be dynamic or static?

    My next question is with the dynamic groups. We have a few of them. Our dynamic groups are done with an actual search using the ldap protocol "ldap://<server>...(objectclass=*)". While thats an example, it's similar to how we have dynamic groups. Does confluence handle this kind of dynamic group setup or do the users need to have a specific attribute on their object where the values are their groups?

    Let me know, thanks!

    - Nick 

  8. Dec 05, 2008

    Stephen Edwards

    So, this document is not very good, but I did manage to figure out how to make dynamic LDAP groups work. (Using 2.9.2 Standalone).

    First of all as http://jira.atlassian.com/browse/USER-105 explains, you need to add a class to your atlassian-user.xml. So, inside of the <ldap> tags add this:

    Next, the example above of a user query in a dynamic group LDAP is wrong. Here's what the query results should look like:

    This means that in atlassian-user.xml you want:

    In this example my user account would then be recognized as a member of the helpdesk rbsgroup.
    One other thing that I ran into was the groupSearchFilter, if you are unsure on this one set it to:

    I hope that helps clarify.
    -Steve

  9. Jun 07, 2010

    sam

    I was working on importing data from our old mantis system to Jira. Which was successfully done. My question now is how can I map mantis user to our ldap account user??

    Do let me know if anyone has an idea about it.