|
I am using Confluence 2.7.1 with hundred of users and dozens of groups.
However, I have the same problem with atlassian-user.xml. Lost all local groups once LDAP is turned on with atlassian-user. Hi Tim, I think I can grab users from users table and insert them into to external_entities table And then I can run the script you provide above to migrate the groups? The transition definitely need some work. It should check if local user exists in LDAP, if so add the user to EXTERNAL_ENTITIES table and migrate the user's groups.
I tried to eliminate the pre-condition to do the user first time login via SOAP API. Although the "first time" login was successful, no record was created for the user in EXTERNAL_ENTITIES table. Hi Royce,
I've gone ahead and created a support ticket for you in our http://support.atlassian.com  instance.
Tim Wong upping the priority of this. Now that os_user has been deprecated, there needs to be a path for customers with os user management to migrate their LDAP configuration without losing group associations.
Has someone come up with a script to eliminate the 'pre-condition?' I find myself in the same situation as Royce.
Manuel,
This is what I did...Make sure you test it out on a dev server and not production Since I only wanted to use the LDAP authentication, not the groups, I figured out that this worked for me. I don't know if it is the "right" way...but it worked. 1. To re-associate local confluence groups INSERT INTO external_members (extentityid, SELECT *Note, I only copied the user accounts to the excel file if it was an account that matched the network (ldap) user name. So, after doing these steps, only users that had wiki usernames that matched their LDAP username will be re-associated to their groups. The other accounts will have to be manually re-added to each group. 2. To eliminate the duplicate usernames I deleted all the users (except the local admin account) from the dbo.users table. I hope that helps... Thanks Lisa!
Your suggestion worked perfectly on both the dev and production hosts. Manny If migrating from os_user to ldap, the user migration script will retain group membership:
http://confluence.atlassian.com/display/DOC/Migrating+to+new+User+Management
Therefore, if migrating from os_user to LDAP, make sure to put in your ldap tag, then hibernate tag, then os_user tag in <confluence-home>/confluence/WEB-INF/classes/atlassian-user.xml. If you're already on hibernate user management, this issue pertains. You can see if you're on os_user or hibernate user by looking at the os_user and users tables on the db, respectively. Crowd may be able to help some customers in this situation. Crowd presents a single view of multiple directories to an application. If two directories are mapped to an application and there's a user with the same name in both directories, their group memberships are combined. Authentication will happen against the first directory in which the user exists.
Crowd will authenticate users against the LDAP directory, and combine memberships from both directories to present to Confluence. It is disappointing to hear that a simple Confluence upgrade to LDAP requires us to buy a $2,000 application.
A description of how to retain group membership when going from osuser => Ldap is here:
http://confluence.atlassian.com/display/DOC/Migrate+to+LDAP+User+Management+From+OsUser
Watch this bug report for updates on migrating (and keeping group membership) from hibernate(atlassian user) => LDAP. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Improvement
Open
Critical
The ability to translate local membership into external membership for initial LDAP integration
Result:
If a user exists in both the local table, and the external_entities table, this will dump all their local groups into the external_members table, which has the end result of giving the LDAP user all the groups the local user had. This has been vetted in a installation of Confluence 2.7 where a local user was created with the same login as one in LDAP. then an LDAP was integrated into this install. This SQL successfully granted this test user with the same permissions (confluence-users, confluence -admin).
Steps I took to produce this result: (be sure to backup the DB before doing this)
1) Shutdown Confluence
2) Run Query
3) Start Confluence
4) Login with an local admin user, and flush the caches.
5) Login with an LDAP user that was also a local user. This user should have all the same groups as the prior local user.
This fix does have a serious flaw. The pre-condition for this to work is the LDAP user must be in the external_entities table to begin with. If the LDAP user has never logged in, then they will not be in this table; this entry is created on first log in.