Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to properly filter users when using LDAP.

Chet Wolosek
Chet Wolosek June 1, 2018

Hello, 

We have been using local accounts for our instance of confluence but recently decided we wanted to utilize LDAP (Active Directory) integration so we have fewer user accounts to remember. I was able to go through and configure confluence to connect to our directory server and am able to pull users and group without issue. What I am having problems with is filtering the users that get automatically pulled into confluence as we do not want all users in our AD pulled into this. I did create group object filer rules that are working so that only certain groups are being presented but I am struggling with how to properly filter the number of users. What I would like to be able to do is only pull users that are members of specific AD groups (Using wildcards is an option since we use a consistent naming format). The primary reason why I want to filter the users that get pulled into this is because we don't want to have to buy a license for all user accounts in our domain as they wouldn't use the product. I have referenced this article for some of my work but I am still stumped so any help that could be provided would be greatly appreciated.

https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html

Thank you

Answer
Watch
Like Thurstan Johnston likes this
4611 views

2 answers

1 accepted

1 vote
Answer accepted
Mikael Sandberg
Mikael Sandberg
Community Champion
June 1, 2018

You can use memberOf as part of your user object filter to restrict the scope. Take a look at https://confluence.atlassian.com/crowd/restricting-ldap-scope-for-user-and-group-search-169118612.html. It is for Crowd, but you can use the filter the same way in Confluence.

Note that it is not the number of users that you import from LDAP that control the number of licenses you need, it is the number of users that have permission to log on to Confluence.

View More Comments
Chet Wolosek
Chet Wolosek June 4, 2018

Does a license get counted if they login but don't have permissions to anything?

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 4, 2018

Yes.  If they can log in, they use a licence.

To avoid that, just check the "can log in" group(s).  If they're not in there, they don't count towards your licence and they can't log in.

Like
Chet Wolosek
Chet Wolosek June 4, 2018

Found that my user filters that I had tried using didn't work because it didn't support nested groups. If I added users as direct members of the targeted groups the filter worked as expected. If nested groups is not an option for this filter then I'll just have to add the users directly and call it a day. But if there is an option for nested groups that would be nice.

Like
Steven Behnke
Steven Behnke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 4, 2018

Nested queries are covered on the bottom of this page:  https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html

Directly query group 'CaptainPlanet':

(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=CaptainPlanet,ou=users,dc=company,dc=com))

Query users who are nested below group 'CaptainPlanet':

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=CaptainPlanet,ou=users,dc=company,dc=com))
Like
Chet Wolosek
Chet Wolosek June 4, 2018

Its what I get for not reading the entire article. Thank you for pointing that out and yes that does allow me to use nested group. Now I have exactly what I needed for this to work as intended. Thank you for all your help everyone.

Like
Reply
0 votes
Steven F Behnke
Steven F Behnke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 1, 2018

Instead, you should use

  • Active Directory Sync
  • Read-only with Local Groups
  • Ensure that 'confluence-users' is applied as Default Group membership=

Under Global Permissions, ensure that only 'confluence-users' is allocated to Can Use Confluence permission.

Now, users will only be licensed when they log in initially. If you need to control who can log in, then you can reinvestigate Filters.

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.