How to prevent confluence-administrators group from synchronizing with an external LDAP Directory?
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
You need to prevent confluence-administrators group to be synchronized from your LDAP directory as it conflicts with your current Confluence administration team members.
Environment
Some companies may have Confluence instances managed by different teams and, if the confluence-administrators group is created in a LDAP Directory, Connector or Delegated type, it will automatically be synchronized to Confluence, which will allow admins from one team to manage instances from other teams.
Diagnosis
After configuring LDAP Directories in Confluence, you notice the existence of two confluence-administrators group when accessing Groups administrative panel, with different memberships.
Cause
confluence-administratorsgroup name is reserved- An administrator cannot assign a different group to have full administrator rights on an instance. More details in Confluence Groups for Administrators
- Aggregating Membership, enabled by default, would consider an union of the
confluence-administratorsgroups from all Directories for memberships. More details in Managing Multiple Directories
Solution
Currently it is not possible to use another name, or create another group to replace confluence-administrators one due to
CONFSERVER-4616
-
Getting issue details...
STATUS
Workaround
You may prevent the confluence-administrators group from LDAP from synchronizing from LDAP, using the following LDAP filter in the Group Object Filter, in the User Directory configuration:
(&(objectCategory=Group)(!(cn=confluence-administrators)))