Uploaded image for project: 'Crowd'
  1. Crowd
  2. CWD-2082

Use tokenGroups attribute for nested group retrievals on AD

    XMLWordPrintable

    Details

    • Feedback Policy:

      Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Description

      It might be possible to improve the performance of nested groups on Active Directory by using the tokenGroups attribute. This is a computed attribute that lists all the nested members of a group by their SID ("objectSid" attribute).

      This was originally suggested in a forum post for Confluence, then developed as a popular custom Atlassian-User implementation by Swisscomm on CONF-17150.

      Workaround

      You can take advantage of how Crowd uses the configuration, and force AD to do this anyway. This will mean your groups are all flattened in Crowd, but you will receive the same performance benefit. To do this, configure the following in the directory in Crowd:

      1. On the "Connector" tab:
        • Uncheck "Use Nested Groups"
        • Uncheck "Use memberOf for group memberships"
        • Check "Use the User Membership Attribute"
      2. On the "Configuration" tab:
        • Change the "User Group Attribute" to "memberOf:1.2.840.113556.1.4.1941:"
      3. Perform a full sync in Crowd
        • If you had the directory configured to perform incremental synchronization, you will need to change it to full synchronization so that Crowd captures changes on nested groups.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              matt@atlassian.com Matt Ryall
              Votes:
              19 Vote for this issue
              Watchers:
              28 Start watching this issue

                Dates

                Created:
                Updated: