Hi,

I got this going but I don't know why

I think our Base DN is ok

ldap.basedn": "dc=canterbury,dc=ac,dc=nz

Note I don't know much about AD and I have inherited this setup, but our guys who know about AD said it looked right

ldap.group.dn": "ou=Jira,ou=Research,ou=IT"

This didn't look right though to the AD guys

We did a test and put in a test group under the Jira ou

We could see this test group but no others

so the suggestion was we take away the 

ou=Jira,ou=Research,ou=IT from ldap.group.dn

did that and it gave us errors (unfortunately didn't capture the errors)

My thinking here is that this did work but as we have over 20, 000 groups it was taking a long time ti sync - not sure

so we put the original back in "ou=Jira,ou=Research,ou=IT"

so we see all groups now not just the ones under Jira ou

Actually we see more groups than we want so we need to restrict it

How can we get rid of all AD groups so I can start again?

We are doing this on a test Jira environment

Cheers

Hello, again John,

Once you configure LDAP connector without Additional Group DN, the connector will try to bring on all groups under BaseDN, on your case, if all AD domain has over 20.000 groups, it will be 20.000 groups on Jira, so if you set the Additional Group DN, LDAP connector will bring on only groups for that specific OU, which means, based on your example, it will be all groups inside OU ou=Jira,ou=Research,ou=IT.

To be sure all the groups exist in AD on the OU you want to have groups imported, you might do a double-check using PowerShell with ActiveDirectory Module installed, running the below command: 

PS: C:\windows> Get-ADGroup -Filter * -SearchBase "ou=Jira,ou=Research,ou=IT,dc=canterbury,dc=ac,dc=nz"

On the above example, the command will return all groups inside Jira OU, you can change to OU that you want to test.

After when you are sure what OU you want, just update the LDAP connector on Jira.

Stay safe,

Artur Moura

Hi,

How do i get rid of the 20, 000 groups so i can then restrict it to just the ones i want?

Cheers

Hi John,

The better way to restrict groups on the OU is to use Group Filter Objects, under Group Schema Settings.  This field is to configure an LDAP Search Filter, so for example, you can use this below:

(&(objectCategory=Group)(cn=Atlassian * group name in a particular env))

By the above example, you can filter by group name.

Cheers,

Artur Moura

Thanks, will try this but how do i get rid of the 20, 000 groups so i can then restrict it to just the ones i want?

Cheers

Hi John,

After you setup the Group Filter Objects, the groups there aren't in the filter, will be automatically removed from Jira database.

Cheers,

Artur

Hi @jo 

Were you able to rid of the other groups?

Artur

Hi,

I have had a month where Jira Test was down with a Java issue :-(

Artur, you provided me with:

(&(objectCategory=Group)(cn=Atlassian * group name in a particular env))

but i am not sure what to do with it.

I have this under Group Schema Settings

Group Object Class: group

Group Object Filter: (objectCategory=Group)

Group Name Attribute: cn

Group Description Attribute: description

my groups are under here:

ou=Jira,ou=Research,ou=IT

Sorry i am not an AD expert

Cheers,

John

Hi John,

Could you please generate and share the Directory Configuration with us? 

We expect to see how your directory is configured and provide you better information.

In addition, could you confirm the DistinguishedName of the AD group, which all Jira users are inside?

From the above question, you can engage the AD team to help you confirm that.

Cheers,

Artur Moura