Hey - thanks for your help. I think I got it now :)

I have to choose Option 2 due to massive restrictions of our company AD. 

First I have to check, if my group isn't a nested group - hopefully not. 

If it's not - and our LDAP support the "memberof" attributes, I got a chance that you already provide the valid string :) 

Due to the limitation of Windows based PCs I need to use the powershell ad-cmdlets. 

I'll try on Thursday and give a feedback. 

Thanks again! 

Take a look at the atlassian link, they talk about Nested groups with AD

And this will search for users that are a member of this group, either directly or via nesting:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=CaptainPlanet,ou=users,dc=company,dc=com))

Important for Active Directory to have memberOf:1.2.840.113556.1.4.1941 if you want to find nested groups (do not replace the numeric string) inside CaptainPlanet group.

Hi,

you can try out the Softterra LDAP Browser to play around with LDAP filters.

@Andrew Laden is right: The Additional User/Group DN just set the start search branches in the LDAP tree to search for users / groups.

The way to go is to use the User Object Filter. One hint: Make sure that an email attribute is set on an LDAP user object & don't let user object in your Jira without an email attribute.

We use:

(&(sAMAccountType=805306368)(mail=*)(!(|(cn=ws*)(cn=ts*))))

The filter on users having a cn starting with ws (webservice) and ts (technical service) is specific to our AD. The sAMAccountType accelerates search for users. 

Be careful with nested groups.

Best

JP

Sorry, but I need to describe it step by step, because I'm not an AD-specialist. I was lucky that I found the Base DN Settings in another document for a complete diffrent topic, so I just copied and pasted it.

Otherwise I'would never be able to pass that configuration :)

But now it seems, that I need to make special commands :(

So here's what I understand:

I need to go to the AD Configuration page.

Than going to the entrie "Additional Group DN"

and now? What do I need to write in there?

Just the group I want the synchronization to work with - or do I need some of that (for me) cryptic things like OU=, DC= blablabla.

Info: The AD itself or any content can not be edited due to restrictions. It's just possible to use it for authentification - nothing more.

You need to find a commonality between all the users that you would want to sync from your AD.

All your JIRA Users in the AD, if they fall under one common group then you can use the DN which is common between all users .

You will have to get a help from some AD Admin who administers your organization AD and who can give you the requisite DN format 

Like in some firms I know, all users are a member of one common group in AD - so that is the common point from where you can start.

Mhhh seems that I dont understand it right.

I thought the Base DN that I set up ist the commonality between all users - complete AD with 200.000 people.

And to minimize this full sync I have to add a parameter in the field "Additional Group DN"

But your last post confused me because it sounds for me that i have to set the Base DN including the parameter for the specific AD-group.

Sorry, but english is not my native language - maybe theres a translation error in my brain :)

Hi, @Martin Krimpelbein

I have the same question. Did you come up with a graceful solution? 

Our AD sync appears to be limited to active AD users, but we are only assigning Jira or Confluence seats to a small subset of those users right now, and have specific AD security groups linked to Jira or Confluence groups.. It would be useful to have the AD sync happening but exclude the many thousand users who are not attached to one of the Atlassian-specific AD security groups, so that those many thousand users do not show up when mentioning users or assigning issues to users. Here we also have a lot of service accounts and secondary AD accounts for admin users. Right now, our biggest concern is that we would assign an issue to the "wrong" user, because there are just too many to choose from. 

Any ideas on this would be appreciated. 

Thanks. 

@Mark Mulik 

Sadly - I ended up and setting up a specific group in our active directory and syncing only this group to Jira.

So every new user (or customer) need to order the group membership first.

I know that this isn't a good solution - but I couldn't find any better solution if you are working for a multi national company with 200.000+ employees.

Thanks, @Martin Krimpelbein . Not what I was hoping to hear, but I appreciate your response.

We manage Jira and Confluence permissions via membership in several different AD security groups, which match up with appropriate Atlassian groups. In this way, we are managing the user permissions from within AD and not having to make changes in Jira and Confluence as users come and go. We are already used to having an AD administrator have to manually add users to the appropriate security groups. Do you use the same approach? I'm wondering at the prospect of having an "Atlassian" OU, then associating all of those security groups with that OU, then syncing only that new OU. That would seemingly do the same thing I'm trying to achieve. 

Thanks.

Yes - I think we doing it the same way - but a little bit simpler because I just got ONE group for jira and confluence user.

So if a user request the group membership via the AD-group (and is granted) the user is only capable to add issues via Jira SD.

Everything else (licence for service desk / software or confluence) has to be done manually by me. :)

That's the price of the not "user friendly" licence topic by Atlassian. Due to the extrem steps (100-250-500) I need to revise my licences very accurate.

Only focusing to never get over 250 licences ... because worst case - i need to pay 500 licences for only 251 users...

And NO - the cloud with the "per user" mode is not a solution. At least not if you're interested in data security. Only stupid people will host their personal data (customers e.g) in a cloud that is always full accessible by the US law enforcements...

Hi, @Martin Krimpelbein 

A consultant working for us came up with a solution that relies on Group Object Filter settings, which can be found under Admin>User management>User Directories>Configure LDAP User Directory. 

Basically, he made it so the AD sync takes place against the whole of our AD, but then filters out users who are not members of specific AD security groups, so that we don't see those users when we assign issues in Jira or Mention users in Jira or Confluence. It's exactly what we were looking for.

We already use the AD security groups to provide different access permissions within Jira and Confluence. Active AD users who aren't a member of such a security group do not have access to the Atlassian tools, but until the Group Object Filter changes were applied, those non-Atlassian users showed up in Jira when going to assign an issue and in Jira and Confluence when Mentioning a user. Effectively, they cluttered up the systems. 

Very happy with the solution. If interested in the solution, please advise. 

Hi @Mark Mulik

i'd love to hear what the consultant actually did in terms of settings changed etc.

Dan