-
Suggestion
-
Resolution: Fixed
-
None
-
54
-
Confluence 2.7.x now uses the Atlassian User as the underlying user management framework. However, there are situation where:
- There are already local users exist in the Confluence instance
- The local users are a member of some existing local groups with certain permission set
- Having the local username possess the same username in the LDAP server
- Integrating with LDAP leads to:
- The LDAP user (who has the same username as the existing local users) not being a membership of the local groups anymore
- The LDAP user do not possess the group permission/privilege set
It would be nice if Confluence provide the ability to retain the local group membership and permission for LDAP users who have the same username with the local user.
- incorporates
-
CONFSERVER-6885 When LDAP user with the same username as a local user logs in they no longer belong to confluence-users
-
- Closed
-
- is related to
-
-
- Closed
-
-
-
- Closed
-
-
- Closed
- relates to
-
-
- Closed
-
-
-
- Closed
-
[CONFSERVER-10654] The ability to translate local membership into external membership for initial LDAP integration
Edgardo Luzcando
added a comment - @eastwood
In migrating from 2.7 to 3.0.2 (and moving from OSUser to LDAP - user authentication only for now) I manually updated all the profile picture related entries to match the case of the user in LDAP. I now still have an issue where the pictures don't show unless you log on, but I am still investigating with support.
Edgardo Luzcando
added a comment - @eastwood
In migrating from 2.7 to 3.0.2 (and moving from OSUser to LDAP - user authentication only for now) I manually updated all the profile picture related entries to match the case of the user in LDAP. I now still have an issue where the pictures don't show unless you log on, but I am still investigating with support. 
eastwood
added a comment - Hi all,
Haven't you got any user profile related issues by this process?
I tried the same process, but ended up losing profile pictures,...etc.
Problem is, 'OS_PROPERTYENTRY' table has some data related with user 'id's of 'users' table.
Now, we are moving to 'external_entities' table. We might loss some data there...
Any thoughts ?
Regards
eastwood
added a comment - Hi all,
Haven't you got any user profile related issues by this process?
I tried the same process, but ended up losing profile pictures,...etc.
Problem is, 'OS_PROPERTYENTRY' table has some data related with user 'id's of 'users' table.
Now, we are moving to 'external_entities' table. We might loss some data there...
Any thoughts ?
Regards 
Michael Gettes
added a comment - Jeremy Largman's latest posting of hibernate2ldap.jsp has fixed our problems.
We have not yet gone production but we have done enough tests I am comfortable
this is mostly solved. What I see are 2 problems remaining -
(1) And this probably for Jeremy: excluding confluence-users from the groups
being handled by this process. I needed to exclude confluence-users in order to
make this work in a reasonable amount of time. If I left it in the processing of my
20K users the process would take about 9 hours. Excluding confluence-users
it takes 9 minutes. My login process automatically adds people to confluence-users
if they are not a member so this isn't an issue for me but may be an issue for those
who do not have an intelligent login process - we use the Confluence Shibboleth
Authenticator.
(2) The second problem has to do with proper cleanup (deletion) of users
successfully migrated by this process. I'd prefer this be a separate step.
I do see duplicates when performing administrative tasks on users and groups
and I have less knowledgeable people performing similar tasks who will be
confused by the duplicates.
My sincere thanks to Jeremy for his dedication of working over memorial day
weekend to help me solve this problem. hibernate2ldap.jsp now works.
Michael Gettes
added a comment - Jeremy Largman's latest posting of hibernate2ldap.jsp has fixed our problems.
We have not yet gone production but we have done enough tests I am comfortable
this is mostly solved. What I see are 2 problems remaining -
(1) And this probably for Jeremy: excluding confluence-users from the groups
being handled by this process. I needed to exclude confluence-users in order to
make this work in a reasonable amount of time. If I left it in the processing of my
20K users the process would take about 9 hours. Excluding confluence-users
it takes 9 minutes. My login process automatically adds people to confluence-users
if they are not a member so this isn't an issue for me but may be an issue for those
who do not have an intelligent login process - we use the Confluence Shibboleth
Authenticator.
(2) The second problem has to do with proper cleanup (deletion) of users
successfully migrated by this process. I'd prefer this be a separate step.
I do see duplicates when performing administrative tasks on users and groups
and I have less knowledgeable people performing similar tasks who will be
confused by the duplicates.
My sincere thanks to Jeremy for his dedication of working over memorial day
weekend to help me solve this problem. hibernate2ldap.jsp now works. 
Amit
added a comment - I really do hope this gets done - since it's fairly critical for enterprise installations who can't re-associate thousands of people manually:
http://forums.atlassian.com/thread.jspa?messageID=257309180
Voted
Amit
added a comment - I really do hope this gets done - since it's fairly critical for enterprise installations who can't re-associate thousands of people manually:
http://forums.atlassian.com/thread.jspa?messageID=257309180
Voted Adding updated jsp to handle LDAP repositories that limit number of objects queried.
I have tried running this... I got about a dozen of the form
Local user with username '468104698@qq.com' found.
No corresponding LDAP user for local user 468104698@qq.com
and then it stopped. Nothing ended up in EXTERNAL_ENTITIES or EXTERNAL_MEMBERS.
I have about 19,960 users in confluence - about 17,000 will be found in LDAP.
Advice appreciated.
Michael Gettes
added a comment - - edited I have tried running this... I got about a dozen of the form
Local user with username '468104698@qq.com' found.
No corresponding LDAP user for local user 468104698@qq.com
and then it stopped. Nothing ended up in EXTERNAL_ENTITIES or EXTERNAL_MEMBERS.
I have about 19,960 users in confluence - about 17,000 will be found in LDAP.
Advice appreciated. Attaching a new version of the patch that addresses issues with large LDAP repositories.
Andy del Hierro
added a comment - I just followed the steps out lined by Jeremy and the first 5 users imported just fine. After that i get this for ever other user.
Local user with username 'username' found. No corresponding LDAP user.
Where username is a correct LDAP user in the database.
I have over 150+ users.
Andy del Hierro
added a comment - I just followed the steps out lined by Jeremy and the first 5 users imported just fine. After that i get this for ever other user.
Local user with username 'username' found. No corresponding LDAP user.
Where username is a correct LDAP user in the database.
I have over 150+ users. A jsp patch is attached to convert hibernate users.
Instructions:
- Configure <confluence-home>/confluence/WEB-INF/classes/atlassian-user.xml according to the add ldap and customising atlassian user documents. It should have the LDAP tag on top and the hibernate tag below, no osuser tag.
- Add the hibernate2ldap.jsp file to the <confluence-install>/confluence/admin folder (or /admin folder from the war installation).
- Access http://<server_base_url>/admin/hibernate2ldap.jsp
- Click 'Migrate Users'. The output will show a detailed report of the group association migration.
Please comment if the patch works for you, or what problems you encounter. It's been tested but not on a large instance.
Confluence 3.5 now amalgamates membership across directories, so users will have all the memberships from all directories they appear in.Update 15 Dec: my statement above was not correct. Users are not amalgamated across directories – they belong only to the groups in the first directory where they're found. However, groups contain all the members across all the directories they exist in. Sorry for the mistake.
The migration story is a bit more complicated. Certain types of LDAP configurations can be migrated from earlier versions with the user membership maintained, but others cannot.
If you have problems with migrating to LDAP in a recent version of Confluence, please raise a support case. We'll be raising new issues to cover these requirements in Confluence 3.5 and later, since this issue is too specific to the old user management system to track the new requirements accurately.