Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to map active directory groups to internal Confluence groups

MikeA
MikeA August 13, 2018

Confluence version 6.3

Active Directory Setup - Microsoft Active Directory (Read Only, with Local Groups)

Hi,  I'm taking over as a Confluence Admin for a employee that left the company and have some questions on user provisioning.  Currently when users want access to Confluence they submit a request and our Access Provisioning group will add them to two Confluence groups that map to Active Directory groups.

 

Confluence_Space_Admins

 Or

 Confluence_Users

Once they're assigned to these groups they can login with their active directory credentials.  I'm guessing these internal Confluence groups map to the Active Directory groups.  

 

 We’d like to add another group for the  Data Analytics team that maps to “Data_Analytics” Active Directory group.  However I'm not sure how to map an internal confluence group to a group in active directory?

 

Thanks

 

Answer
Watch
Like Claus Wobbe likes this
16601 views

1 answer

1 vote
Jonathan Smith
Jonathan Smith
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 13, 2018

@MikeA,

  Couple things to check into:

Go into Confluence Administration and see how your User Directories are set up. Is your Active Directory on top of Internal Directory? If so, good. 

Example: My internal directory is pretty empty, we just have a service account in case SSO goes down.

If your Active Directory group is on top, then you should have your help desk or whomever manages AD groups - create the new Data_Analytics AD group. Have them add the desired users into this group. After replication, the group should make its way into Confluence, and you should be able to lock down a space with that new AD group.

During Confluence setup for a new user, the people are added to Confluence_Users more than likely for application access. You can verify this by going into Confluence Administration and clicking Global Permissions.

Hope this information helps. Check out an add-on called SAML SSO if you don't want to worry about users typing in passwords! Wasn't the easiest setup, but works very well for us and support was great.

View More Comments
Jonathan Smith
Jonathan Smith
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 13, 2018

Here is some additional reading about setting up user directories: 

https://confluence.atlassian.com/doc/configuring-user-directories-229838212.html

Like Claus Wobbe likes this
MikeA
MikeA August 13, 2018

Thanks, Jonathan I'll take a look!  The Data_Analytics AD group is in Active Directory but I'm not seeing it in Confluence?  Currently our User Directory is,

 

Microsoft Active Directory (Read Only, with Local Groups)  Should this be set to only "Read Only" ?

 

Thanks.  I'll review the link you provided.

Like
Jonathan Smith
Jonathan Smith
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 13, 2018

Read only with local groups is correct.

When I first tried to configure Active Directory in User Directories, I had an issue getting all of my AD groups over into Confluence.

Here is how I resolved:

  1. Log out of Confluence
  2. Log in with Service account (admin)
  3. Navigate to Confluence administration, user directories
  4. Click edit on Active Directory
  5. Uncheck Enable Incremental Synchronization
  6. This will fully sync your groups
  • Not saying it will work for you but it is a good shot:

t.jpg

Like
MikeA
MikeA August 13, 2018

Thanks, I was able to make that edit fairly easily.  Do I now need to create an internal for 'Data_Analytics' to synch the "Data_Analytics" group in AD with the internal Confluence "Data_Analytics" group?  forgive me I'm being a little dense here.

Like
Jonathan Smith
Jonathan Smith
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 13, 2018

No problem - I like questions!

Internal groups (local to Confluence) are completely separate from Active Directory groups. You shouldn't need to replicate the new groups into local groups.

If AD groups are working properly, you would only need local user/groups if....

Single sign on goes down in my environment. I would log in with service account  (internal user) which has local/internal groups. 

Like
Jonathan Smith
Jonathan Smith
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 13, 2018

Did you watch the AD groups sync after changing the Active Directory properties? Try going to a space and adding Data_Analytics to space permissions.

Like
MikeA
MikeA August 13, 2018

When I uncheck the 'Enable Incremental Synchronization' option, I have options for,

"SAVE and TEST" and "Quick Test"

All tests pass if I enter a user in the AD - but I dont see anything related groups getting brought over.  

 

If I go try to set space permissions I dont see a group for "Data_Analytics" so I'm wondering if there's some incorrect settings in my AD setup?

Like
Jonathan Smith
Jonathan Smith
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 13, 2018

After saving your changes in the active directory setup, go back to your User Directories page and click synchronize

  • Goal: Message says "Full synchronize completed successfully".

w.jpg

Like
Jonathan Smith
Jonathan Smith
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 13, 2018

If it takes a while, it is working :)

When I had incremental checked, the sync would take 10 seconds. Doing a full sync for the first time took minutes.

Like
Jonathan Smith
Jonathan Smith
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 14, 2018

@MikeA Any updates?

Like
Jonathan Smith
Jonathan Smith
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 16, 2018

@MikeA,

  Following up to see if your new AD group appeared in Confluence after syncing in the last step noted above.

Like
MikeA
MikeA August 16, 2018

unfortunately, I'm still not seeing groups showing up but the tests are passing and users can authenticate with their AD credentials.  I also tried entering the specific AD server vs the alias.  I'm wondering if there's some configuration on the ldap side that's preventing the sync up.  I may have to escalate with my Access Provisioning department.

 

Thanks for all your help Jonathan

Like
Tobias Anstett _K15t_
Tobias Anstett _K15t_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 4, 2018

Hi Mike,

No, groups should be added no matter if you perform a full or an incremental update. However only groups will be synchronized which match the additional group dn configured in scheme settings of your connection.

Please refer to https://confluence.atlassian.com/doc/connecting-to-an-ldap-directory-229838241.html#ConnectingtoanLDAPDirectory-SchemaSettings

To get a more details about the AD structure you could e.g. use Microsofts AD Explorer -  https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer

Best, Tobias

Like Claus Wobbe likes this
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.