Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira - Nested groups aren't working with AD users

Nick Shaw
Nick Shaw January 17, 2014

We have our AD server set to read only w/ local groups. Our local directory is set up to support nested groups, and when we add users from the local directory to the sub-group, they're added to the parent groups as normal.

Unfortunately the users in our AD server don't get added to the same parent groups, they only get added to the group that you add them to.

For fun, even though our AD server isn't working our groups, we have it set to supprt nested groups as well, but that didn't change anything.

Answer
Watch
Like Michael Kulpa likes this
4617 views

1 answer

1 accepted

2 votes
Answer accepted
Tiago Comasseto
Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 19, 2014

Hi Nick,

Do you have any user filter (User Object Filter) in place at your directory configuration in JIRA? In case you have, you may need to add the parameter 1.2.840.113556.1.4.1941 as in the example bellow:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=jira_users,OU=jira,OU=atlassian,DC=company,DC=local))

The explanation to this parameter is in this page, basically it allows recursive search in your LDAP.

I hope it helps.

Cheers

View More Comments
Nick Shaw
Nick Shaw January 19, 2014

I need one of these for every nested group, don't I?

We don't have any groups that are nested in the jira_users group, but we have a number of them that are interdependent based on the developers' departments.

Like
Tiago Comasseto
Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 20, 2014

Hi Nick,

The parameter 1.2.840.113556.1.4.1941 needs to be declared after every memberOf attribute in your filter. Also, the filter above is just an example, you don't necessary need to have a group called jira_users.

Cheers

Like
Nick Shaw
Nick Shaw January 26, 2014

Excellent. Looks like everything works. Although we chose to just switch to a read/write LDAP, this process did indeed work for us.

Thank you!

Like
Suhas Patil1
Suhas Patil April 25, 2016

Hello Nick,

How does the final configuration look like? 

Regards,

Suhas

Like
Andrew Bilukha
Andrew Bilukha May 15, 2018

How could it be applied in our case, we are not filtering on group, we're filtering user accounts based on a property of them haing EmployeeID (that separates humans from non-human accounts), and the account not being disabled UserAccountControl:1.2.840.113556.1.4.803:=2.

(&(objectClass=user)(objectCategory=person)(employeeID=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Can this 1.2.840.113556.1.4.1941 parameter be applied in our case?



Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.