We are going to be switching to Active Directory to manage our Confluence users. Is there a way to filter users? We don't want everyone in Active Directory to have access to the wiki.
Regards,
Kay
In the LDAP setup under "User Schema Settings" you would specify and LDAP query in the "User Object Filter" field. It could be something like this ...
(&(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf=CN=confluence-users,OU=yourSubfolder,OU=yourFolder,DC=yourdomain,DC=com))
This above query would return users that are classified in LDAP as a "Person", aren't disabled, and are part of the confluence-users group in LDAP.
This is how we set up our Confluence and Jira instances to work with AD. We have an OU in AD for all our Confluence groups and another one for our Jira groups. The group names all start with "confluence-" or "jira-" respectively. For the AD group and user filters we set them up this way.
User Object Filter
(&(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf=CN=confluence-users,OU=Path,OU=To,OU=Group,DC=domain,DC=dom))
The above filter will only pull in users that have an enabled account and are part of the confluence-users group. For Jira you would change the group name to jira-core-users or jira-software-users depending on which you have. The userAccountControl portion is how it limits to only enabled accounts. The memberOf portion is where we specify to only bring in people that are members of the confluence-users group. You would need to the change the filter to represent the distinguishedName of your confluence-users group. So, basically this group is what gets you access to Confluence. This group is only used for that purpose. It is not used for space permissions or page restrictions. It is simply the group that is used to say that you can log into Confluence and consume a license. Then in Confluence Administration -> Users & Security -> Global Permissions we set up the global permissions like this.
Group Object Filter
(&(objectCategory=Group)(sAMAccountName=confluence-*))
This filter says to simply look through AD and pull in any group that starts with confluence -. For Jira the filter says jira-* instead. This will pull all your Confluence/Jira AD groups into Confluence and Jira and you can then use then for permissions to spaces and page restrictions or projects for Jira.
I would recommend whenever you do permissions in Confluence and Jira (unless you are a super small shop ... even then maybe) to never give permissions to people. Instead give permissions to groups and then assign people to the groups ... even if there is only one person in the group. This helps to future proof you permissions. Eventually those employees will quit and it is a pain to have to hunt down all the spaces, pages, and projects they were assigned to and remove those permissions. It is way easier to just simply remove someone's group permissions. Besides what if you miss something and re-hire that person to a different position and didn't get rid of all the old permissions? They may have access to stuff that they should not. So, I ALWAYS recommend assigning permissions to groups, not people.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As I understood you need to use filter
https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Davin,
I am sorry, I am probably not being very clear. I don't want everyone that is listed in Active Directory to become a member of the confluence-users group.
Regards,
Kay
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The filter will not make everyone a member of the confluence users group. The filter below will instruct confluence to only sync users who are members of the confluence-users group into Confluence. That is just an example of how to do it and happens to be how we do it in my organization.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Online forums and learning are now in one easy-to-use experience.
By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.