Incomplete Group Memberships In Integrated Applications Using Crowd Nested Groups
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Symptoms
An LDAP based Directory containing an OU with three groups "jira-administrators", "jira-developers" and "jira-users" and groups containing the real users are nested into these. Results looks OK in Crowd.
Jira is populated with "jira-administrators", "jira-developers" and "jira-users", and all users that should be there. Looking at a group, it displays the correct members. However, looking at the users, they have no group membership.
It is possible to log in to Jira but user has no privileges other than being recognized as belonging to "jira-users".
Cause
Nested groups don't belong to the Base DN defined in the Directory Connector (Eg: they are siblings rather than children of the Base DN)
Resolution
Increase the scope of the directory seen by Crowd by changing the Base DN.
This can cause unwanted groups to appear in the Crowd console but the problem can be mitigated taking advantage of the Group Object Filter to filter all but the specified group name patterns:
1
(&(objectCategory=Group)(|(cn=desired-group-A)(cn=desired-group-B)(cn=jira*)))
Was this helpful?