Group membership search in LDAP assumes user's dn starts with username attribute

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: High
    • None
    • Affects Version/s: 2.1.5
    • Component/s: None

      Our group membership search doesn't pick up users in some LDAP configurations, most notably Active Directory. In AD, a user record and corresponding group record might look like this:

      cn=jsmith,cn=Users,dc=example,dc=com
      cn: jsmith
      objectClass: inetOrgPerson
      sAMAccountName: john

      cn=confluence-users,cn=Groups,dc=example,dc=com
      cn: confluence-users
      objectClass: group
      member: cn=jsmith,cn=Users,dc=example,dc=com

      Confluence assumes incorrectly that the group membership for John Smith would be: smAccountName=john,cn=Users,dc=example,dc=com. Oops.

      We should decouple the attribute used for the login name from the group search filter.

            Assignee:
            Unassigned
            Reporter:
            Matt Ryall
            Votes:
            3 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: