Reduce the number of users synchronised from LDAP to Hipchat Server

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

If you have connected Hipchat Server to an LDAP directory for authentication and user management, you may want Hipchat Server to synchronize a subset of users from LDAP rather than all users. There are two reasons to make this change:

  • Improving performance — If you have performance issues during the synchronization process, you may be able to improve this by synchronizing a subset of data. See this knowledge base article for more information: Performance issues with large LDAP repository in Jira server.
  • Reducing your user count — You can synchronize a subset of users to Hipchat Server from LDAP to reduce your user count. This will allow you to count fewer users against your Hipchat Server license. 

Methods for synchronizing users

The procedure for configuring Hipchat Server to synchronize a different number of users from LDAP depends on how you initially set up your LDAP directory:

  • For example, if you have all your Hipchat users in one organizational unit and your non-Hipchat users in another organizational unit, then you can simply configure Hipchat Server to only synchronize users against a particular DN (distinguished name). 
  • However, if your setup is not so simple (for example, you have your Hipchat users and non-Hipchat users in the same node), you will need to define an LDAP filter to synchronize the relevant users. 

Both of these methods are outlined below.

Synchronizing against Base DN and Additional User DN

If you have all your Hipchat users in one organizational unit and your non-Hipchat users in another organizational unit, then you can simply configure Hipchat Server to only synchronize users against a particular DN (distinguished name).

  1. Browse to your server's fully qualified domain name, for example https://hipchat.yourcompany.com/.
  2. Log into the Hipchat Server web user interface (UI) using your administrator email and password. 
  3. Click Group admin > Authentication.
  4. Update the Base DN field, and optionally the Additional User DN, to query against the directory server as desired. For example, if you have configured all of your Hipchat users in the hipchat-users organizational unit (OU) only for your company at mycompany.example.com, your configuration would look like this:
    • Base DN — dc=mycompany,dc=example,dc=com
    • Additional User DN — ou=hipchat-users

Active Directory/LDAP Group objects do not currently affect Hipchat Server. Filtering for or against groups won't change the user list in Hipchat Server. See Filtering for groups to learn how to work around this limitation.

Defining an LDAP filter

If your setup is not so simple (for example, you have your Hipchat users and non-Hipchat users in the same node), you will need to define an LDAP filter to synchronize the relevant users. 

  1. Browse to your server's fully qualified domain name, for example https://hipchat.yourcompany.com/.
  2. Log into the Hipchat Server web user interface (UI) using your administrator email and password. 
  3. Click Group admin > Authentication.
  4. Update User Object Filter field as desired. The syntax for LDAP filters is not simple and your query will depend on how you have set up your LDAP directory.
    For example, if only LDAP users in the state of Delaware, designated by "st=DE" in each user's attribute list within the LDAP tree, will use Hipchat you can filter to find them by setting the User Object Filter = (&(objectCategory=inetorgperson)(st=DE)).
    More information on defining LDAP filters is available in the pages linked in the Related content section at the top of this page.

Filtering for groups

Active Directory/LDAP group objects do not currently affect Hipchat Server. Filtering for or against groups won't change the user list in Hipchat Server.

To work around this limitation, set a user object filter to check for the memberOf attribute (or a similar attribute if your deployment doesn't use memberOf).  The filter must include the object type, for example memberOf=cn=groupname.

See the following example:

(&(objectclass=user)(sAMAccountName=*)(|(memberOf=cn=Heroes)(memberOf=ou=Crime-fighters)(memberOf=ou=Comic-book-characters)(memberOf=dc=Fictitious-persons)))

Last modified on Nov 30, 2017

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.