Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-5723

Group membership search in LDAP assumes user's dn starts with username attribute

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • High
    • None
    • 2.1.5
    • None

    Description

      Our group membership search doesn't pick up users in some LDAP configurations, most notably Active Directory. In AD, a user record and corresponding group record might look like this:

      cn=jsmith,cn=Users,dc=example,dc=com
      cn: jsmith
      objectClass: inetOrgPerson
      sAMAccountName: john

      cn=confluence-users,cn=Groups,dc=example,dc=com
      cn: confluence-users
      objectClass: group
      member: cn=jsmith,cn=Users,dc=example,dc=com

      Confluence assumes incorrectly that the group membership for John Smith would be: smAccountName=john,cn=Users,dc=example,dc=com. Oops.

      We should decouple the attribute used for the login name from the group search filter.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-5305 Non-existent users in groups cause problems when using LDAP

          • Medium - Medium priority issues
          • Closed

          Activity

            People

              Unassigned Unassigned
              matt@atlassian.com Matt Ryall
              Votes:
              3 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: