Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Change ldap servers and User Unique ID Attribute

Jason Whitener
Jason Whitener February 9, 2018

We are going to be changing from openldap using entryUUID to an active directory using ObjectGUID for the user unique ID attribute.   

 

Can confluence handle that change without issues?   I haven't found much in the way of instructions for doing this.  I did see this thread:  https://community.atlassian.com/t5/Confluence-questions/Confluence-change-LDAP-but-preserve-user-permissions-and/qaq-p/696207

 

and that makes me think that I might need to switch the existing unique attribute to something like username, then add the second directory and have it use username as a unique attribute.  Let them sync a while, then change the second directory to use ObjectGUID, then remove the first directory.  True/false?  

 

I'd rather not make work if none is needed:)

Answer
Watch
Like Be the first to like this
7573 views

3 answers

1 accepted

0 votes
Answer accepted
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 9, 2018

I just left you a voice mail, was hoping to clarify a couple of points before answering true/false. I was not clear on when in the process the users are being migrated to AD.

If you want Confluence to recognize the users in Active Directory as being the same users that were in OpenLDAP, and the user names will be the same in both directories then my recommendation is:

  1. Set the user name as the unique identifier, as you describe, in the Open LDAP User directory in Confluence
  2. Sync the directory
  3. Move or copy the users from OpenLDAP to AD
  4. Create a User Directory in Confluence for AD, initially setting the username as the unique identifier
  5. Synchronize the AD User Directory in Confluence
  6. Edit the AD User directory in Confluence to use objectGUID as User Unique ID Attribute. (This will enable Confluence to pick up user renames from AD)
  7. Synchronize the AD User Directory in Confluence again

There is a lot of room for error so I encourage you to test in a pre-production instance first.

Please make sure to pick the right directory type when you set up the user directory in Confluence because the directory attributes are very different in the different templates, for example:

Screen Shot 2018-02-09 at 4.43.18 PM.png

Screen Shot 2018-02-09 at 4.42.56 PM.png

If you pick OpenLDAP the attributes are as in this screenshot:

Screen Shot 2018-02-09 at 4.28.08 PM.png

Please let me know any follow up questions or if I misunderstood the case.

Cheers,

Ann

View More Comments
Jason Whitener
Jason Whitener February 9, 2018

Thanks.  I'm back at my phone if you have additional questions.

That matches what I envisioned.  Thanks for confirming.   I assume that after both directories have been sync'd using username as the unique identifier, I can disable the first directory, then just change the new one to use the real identifier.  I didn't notice a step in your list to disable/remove the old directory.  

The last step moving from Openldap to Active Directory is mapping all the new attributes and recreating the user filter.  Do you have a list of characters that need to be escaped or treated differently in an ldap search filter in the admin area?  The first thing I'm noticing is that roles in the active directory have spaces in them.  Like:

memberOf=CN=ROLE.APP System FINANCE,OU=Global,OU=Groups,OU=Stuff,DC=, etc... 

I recall a very long time ago having to encode or escape ampersands.  I do not see that in the documentation this time.  

Like
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 12, 2018

Hi Jason,

I didn't focus on the OpenLDAP directory after the migration step because I assumed that OpenLDAP itself would be retired, but you are correct that the old OpenLDAP User Directory should be disabled and eventually deleted to keep from cluttering the instance with legacy relics.

A lot of the filters on this page are written for AD. I have had good results with the filters on this doc: How to write LDAP search filters

It may be that you have to escape certain characters when you use a filter in an XML file, I don't have any experience escaping characters in filters entered in the UI.

Like
Reply
0 votes
Jason Whitener
Jason Whitener February 14, 2018

It did not work.  Everyone logging in has a new account created for them.  

 

 

I'll open a support case and do this more systematically.

View More Comments
jc_j_c_admin
jc_j_c_admin
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 24, 2020

This thread is rather old but I've planned to do a similar migration and the steps you described seemed logical to me. How did you solve migrating from one AD to another? Thanks.

Like
Jason Whitener
Jason Whitener June 25, 2020

It did work I believe.  I just had to wait longer and make sure the changes were completely finished between each step.  

Like
Reply
0 votes
Jason Whitener
Jason Whitener February 13, 2018

So after 5 hours of updating users to use the login ID as their unique attribute with the openldap, I added the active directory as a second directory, with it using sAMAccountName as the unique attribute.  Those attributes are identical between the systems.

In the logs, I see this:

2018-02-13 19:25:20,390 INFO [Caesium-1-4] [atlassian.crowd.directory.DbCachingRemoteChangeOperations] addUsers adding [ 97585 ] users

 

I hope its not thinking there are 97,585 new users.    I also cannot test logging in from the user directory test area.  It just spins.  The basic connection was successful.  

 

I'll let it sync for a few hours and see if the behavior changes.  

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.