Using LDAP_MATCHING_RULE_IN_CHAIN OID for nested group membership stopped working

XMLWordPrintable

    • 11
    • Severity 3 - Minor
    • 36

      Issue Summary

      Users in the AD nested group are not synced after upgrading Confluence from any version prior to 8.5.x to 9.x.x

      Steps to Reproduce

      1. Setup Microsoft AD
      2. Create users in the AD
      3. Create a parent group and a child group.
      4. Add members to the child group.
      5. Add the child group as a member of the parent group.
      6. Install and configure 9.2.1 Confluence
      7. Configure the user directory in Confluence to use the Microsoft AD created earlier.
      8. In the User Membership Attribute field, add memberOf:1.2.840.113556.1.4.1941: and check the boxes for When finding the user's group membership and When finding the members of a group under Use the User Membership Attribute.
      9. Save and test
      10. Perform synchronization with the user directory.
      11. The users in the parent group are not visible.

      Expected Results

      The users in the parent group should be visible.

      Actual Results

      The users in the parent group are not visible.

      Workaround

      This is happening due to a change in Crowd sync on Crowd 5.3.0; Crowd 5.3 Upgrade Notes; LDAP synchronization improvements. The workaround is to disable the new sync:

      • Stop Confluence
      • Take a backup of <InstallHome>/bin/setenv.sh file
      • Add the below JVM parameter just above the export CATALINA_OPTS line 
        CATALINA_OPTS="-Dcrowd.use.legacy.ad.membership.sync=true ${CATALINA_OPTS}"
      • Start Confluence
      • Perform a synchronization

              Assignee:
              Patryk
              Reporter:
              Vishnu Prasad P S (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: