We are switching off article comments on this website. Read about the upcoming changes to Atlassian Documentation.
This document outlines how to go about constructing a more sophisticated filter for the userSearchFilter and groupSearchFilter attributes in your AtlassianUser LDAP config file (for Confluence versions prior to 3.5), and in the directory properties in Confluence Admin > User Directories (for Confluence 3.5 and above).
Filters are used to restrict the numbers of users or groups that are permitted to access Confluence. In essence the filter limits what part of the LDAP tree Confluence syncs from.
A filter can and should be written for both user and group membership. This ensures that you are not flooding your Confluence instance with users and groups that do not need access to your content.
When constructing a filter it is best to pick a common attribute of the set of users you want to allow access to Confluence. This is most often the attribute that denotes group membership or an objectClass like "Person"
The attribute used to denote membership in a group is not common to all flavors of LDAP. Examples of this attribute can be "groupMembership" or "Member"
For example, if my users are distinguished by having two objectClass attributes (one equal to 'person' and another to 'user'), this is how I would match for it:
ampersand symbol '&' symbol at the start. Translated this means: search for objectClass=person AND object=user.
Translated this means: search for objectClass=person OR object=user.
pipe symbol '|' denotes 'OR'. As this is not a special XML character, it should not need escaping.
This means: search for all entries that have objectClass=user AND cn that contains the word 'Marketing'.
Wildcards are unable to be used in filters using ! (or NOT) logical operators. See below
Just add an extra clause:
Extra clauses can be added for more than three attributes too.
As Microsoft Active Directory does not implement extensible matching, the following examples won't work with it.
You may want to match part of a DN, for instance when you need to look for your groups in two subtrees of your server.
will find groups with an OU component of their DN which is either 'Chicago' or 'Miami'.
To exclude entities which match an expression, use '!'. Note that this must be represented as the entity '!' in your XML file (if you are using Confluence 3.4 or below).
will find all Chicago groups except those with a Wrigleyville OU component.
Note the extra parentheses: (!(<expression>))
For Confluence 3.4 and below, once you have constructed your search filter using this document, you must escape the ampersand symbol and the exclamation mark symbol before adding to your XML file. So for example,
Refer to this external documentation on other XML characters that need escaping.
These filters are written for Active Directory. In order to use them for something such as OpenLDAP the attributes will need to be changed.
This will only synchronise users in the 'CaptainPlanet' group - this should be applied to the User Object Filter:
And this will search for users that are a member of this group, either directly or via nesting: