-
Suggestion
-
Resolution: Fixed
-
None
We are pleased to advise that support for nested groups is available in Confluence 3.5. You can find instructions on how to configure nested groups in our documentation:
More information about the great new features available with the release of Confluence 3.5 can be found in the release notes. Thanks for your interest and support of Confluence.
Currently in Atlassian-user, groups can only include users, not other groups. Support for nested groups would allow groups to contain other groups.
For example, consider the following simplified LDAP records:
dn: cn=sales,ou=groups
cn: sales
member: cn=salesman,ou=users
dn: cn=staff,ou=groups
cn: staff
member: cn=ceo,ou=users
member: cn=sales,ou=groups
In this example, the group 'sales' is a group containing just a single user, 'salesman'. However, the 'staff' group contains both the user 'ceo' and the group 'sales'.
In Atlassian-user, implementing nested groups would mean that 'salesman' would be a member of both 'sales' and 'staff' in the above scenario. Atlassian-user should also recognise that both users and groups can be members of a group, especially when listing the membership information for a group. (That is, a list of the members of 'staff' should have two entries: an entry for the 'ceo' user and an entry for the 'sales' group. The membership should not automatically be condensed into a list of two users.)
In applications, permissions granted to the 'staff' group should apply to both 'salesman' and 'ceo'. Additionally, any new users added to 'sales' should automatically gain these permissions.
- blocks
-
- Closed
- duplicates
-
CONFSERVER-6976 Lack of LDAP Nested-Group Support
-
- Closed
-
-
- Closed
- is duplicated by
-
- Closed
-
- Closed
- is related to
-
- Closed
-
- Closed
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
- Closed
- was cloned as
-
- Closed
- mentioned in
-
Page Loading...
-
-
-
-
-
-
-
[CONFSERVER-17150] Support nested groups
I'm pleased to let you know that the first milestone of Confluence 3.5, including the improved user management support, is available for testing. Release notes which include a download link for 3.5-m1 are available here:
There is no documentation available yet for the new LDAP integration aside from what is on the release notes, so I'd suggest starting from a clean installation and going to Administration > User Directories in order to set up the configuration of your LDAP server from scratch. Hopefully you won't find it too difficult. There will be complete support for automatic migration for existing instances in 3.5, but it has a couple of glitches that we're still working on.
There is a lot of detail about the improvements on the release notes, and a few important limitations you should be aware of:
- Nested groups aren't shown as such in the Confluence UI; you'll see users appearing under every group they are either direct or indirect members of
- The initial synchronisation may take several hours if you have 100,000+ memberships, but subsequent syncs should be faster, particularly with Active Directory. (Low latency connections to the LDAP server are highly recommended!)
- Crowd integration has a known issue with nested groups that we're looking into.
It would be great if anyone who is interested in this feature could test this release against their LDAP server in a test environment and let us know how it goes. In particular, we'd like to know about any problems with configuring the directory, whether there are any errors in synchronising the LDAP data, and whether the hourly synchronisation successfully keeps Confluence's data up to date with changes on your server.
If you have any feedback about the milestone, please raise a separate CONF issue against version 3.5, and include a copy of your log files. I'm also happy to receive direct email if you have any questions or concerns. Whatever you do, please don't spam 160+ people by posting your feedback on this ticket! 
To set your expectations appropriately, the expected release date is still a few months away. We'll continue releasing milestones about every two weeks as development proceeds. I won't post here about every release; if you want to track the 3.5 milestones, you should watch the Development Releases page which will be updated when future milestones are published.
Thanks for your continued support,
Matt Ryall
Confluence Development
Fabian Unterreiner
added a comment - We have as well an unlimited enterprise license of Confluence in our company with more than 26.000 users. In an enterprise environement it is normal to use nested groups, therefore it is a 'must' to have this supported in an enterprise wiki. The knowledge is available for Atlassian --> CROWD, so please help us out and do something. I can't stand anymore the anmount of tickets opend on our user help desk
Fabian Unterreiner
added a comment - We have as well an unlimited enterprise license of Confluence in our company with more than 26.000 users. In an enterprise environement it is normal to use nested groups, therefore it is a 'must' to have this supported in an enterprise wiki. The knowledge is available for Atlassian --> CROWD, so please help us out and do something. I can't stand anymore the anmount of tickets opend on our user help desk 
Deleted Account (Inactive)
added a comment - Reading the whole threat, I am very disappointed that such a powerful product is lacking on basic out of the box functionality. We are planning to roll out Confluence across our specialized groups for knowledge exchange and when we have over 600+ users changing teams across the organization very frequently, it becomes a nightmare to administrate as well as to keep the cost down.
I really do hate to see such a basic requirement has been delayed, until a new release on superb product. Is there no other interim solution which we can use other buying CROWD?
Deleted Account (Inactive)
added a comment - Reading the whole threat, I am very disappointed that such a powerful product is lacking on basic out of the box functionality. We are planning to roll out Confluence across our specialized groups for knowledge exchange and when we have over 600+ users changing teams across the organization very frequently, it becomes a nightmare to administrate as well as to keep the cost down.
I really do hate to see such a basic requirement has been delayed, until a new release on superb product. Is there no other interim solution which we can use other buying CROWD? Chris, it won't be in 3.4. At the moment, we're aiming for 3.5, but we have several performance issues that need to be resolved before we'll know for certain.
The current status for the project is still alpha.
Chris Horinek
added a comment - What release of confluence is support for LDAP nested groups scheduled for? 3.4?
Chris Horinek
added a comment - What release of confluence is support for LDAP nested groups scheduled for? 3.4? 
Ricardo Mateus
added a comment - Hey.
This is an extremely important feature for my organization.
We're centralizing the entire login using Active Directory and this feature would be very useful to us.
Ricardo Mateus
added a comment - Hey.
This is an extremely important feature for my organization.
We're centralizing the entire login using Active Directory and this feature would be very useful to us. For what it's worth, I've been using the swisscom-user-auth adapter for many months in our production environment.
I know that's not the same as an Atlassian-supported release, but the results have been very satisfactory for us.
We use a role-based access methodology in Active Directory and everyone gets access to Confluence via a nested (job function role nested in access-level role) group.
Andre Gammelgaard
added a comment - Hi
Please fix this asap. We have in Telenor Denmark many groups that are nested in our LDAP as we have a large organization, so we will have a large overhead of administration in adding these people to extra groups to have access to the wiki.
Regards
André
Andre Gammelgaard
added a comment - Hi
Please fix this asap . We have in Telenor Denmark many groups that are nested in our LDAP as we have a large organization, so we will have a large overhead of administration in adding these people to extra groups to have access to the wiki.
Regards
André
I'm pleased to report that this issue is resolved for Confluence 3.5. You can now configure nested groups for your LDAP server by checking the 'Enable Nested Groups' checkbox in the LDAP directory configuration.
More details on how to configure user directories in Confluence 3.5 and later can be found here:
http://confluence.atlassian.com/display/DOC/Configuring+User+Directories
You can read about the other great features in the Confluence 3.5 release in our release notes:
http://confluence.atlassian.com/display/DOC/Confluence+3.5+Release+Notes
Please raise any issues or improvement suggestions as new issues against Confluence 3.5. Thanks very much for your continued support.
Best regards,
Matt Ryall
Team Lead, Confluence 3.5 User Management Improvements