LDAP Nested Groups Fail Due to BaseDN and FQDN mismatch
Nested Group Memberships are not reflected in Confluence, despite using the correct configuration, and having it properly setup in LDAP.
Compare the LDIF Exports of the groups and users involved with your Directory Configuration Summary from
Confluence Admin >> User Directories >> Directory Configuration Summary. Make sure that the LDAP attributes are properly mapped, especially the membership, username and group name attributes. Ensure that the Nested Groups option is turned on. If none of these work, enable DEBUG logging for all com.atlassian.crowd, com.atlassian.crowd.directory and com.atlassian.crowd.embedded classes in
Confluence Admin >> Logging and Profiling. See Configuring Logging.
After that, try to sync the directory again, and when the sync is complete, open up the logs and look for these:
2012-06-18 18:27:27,424 DEBUG [scheduler_Worker-10] [atlassian.crowd.directory.SpringLDAPConnector] findEntityByDN Entity DN <cn=exampleGroup,dc=Example,dc=com> is outside the entity base DN subtree scope <dc=example,dc=com>
Case mismatch between the Base DN configured in the directory's configuration in
Confluence Admin >> User Directories versus the actual group's FQDN (based on the LDIF Export).
For the above example, notice that the group's FQDN is
cn=exampleGroup,dc=Example,dc=com , while the configured base DN is
dc=example,dc=com (notice the capital 'E' in the FQDN versus the regular 'e' in the Base DN? -
Basically, there are 2 ways to resolve this:
- Turning off "Naive DN Matching" in the Directory's configuration (
Confluence Admin >> User Directories >> edit the directory >> Advanced Settings)
- Changing the Base DN in the Directory's configuration to match the group's DN casing (for the example above, we will need to change the base DN to