LDAP Nested Groups Fail Due to BaseDN and FQDN mismatch
Symptoms
Nested Group Memberships are not reflected in Confluence, despite using the correct configuration, and having it properly setup in LDAP.
Diagnosis
Compare the LDIF Exports of the groups and users involved with your Directory Configuration Summary from Confluence Admin >> User Directories >> Directory Configuration Summary
. Make sure that the LDAP attributes are properly mapped, especially the membership, username and group name attributes. Ensure that the Nested Groups option is turned on. If none of these work, enable DEBUG logging for all com.atlassian.crowd, com.atlassian.crowd.directory and com.atlassian.crowd.embedded classes in Confluence Admin >> Logging and Profiling
. See Configuring Logging.
After that, try to sync the directory again, and when the sync is complete, open up the logs and look for these:
2012-06-18 18:27:27,424 DEBUG [scheduler_Worker-10] [atlassian.crowd.directory.SpringLDAPConnector] findEntityByDN Entity DN <cn=exampleGroup,dc=Example,dc=com> is outside the entity base DN subtree scope <dc=example,dc=com>
Cause
Case mismatch between the Base DN configured in the directory's configuration in Confluence Admin >> User Directories
versus the actual group's FQDN (based on the LDIF Export).
For the above example, notice that the group's FQDN is cn=exampleGroup,dc=Example,dc=com
, while the configured base DN is dc=example,dc=com
(notice the capital 'E' in the FQDN versus the regular 'e' in the Base DN? - dc=Example,dc=com
versus dc=example,dc=com
)
Resolution
Basically, there are 2 ways to resolve this:
- Turning off "Naive DN Matching" in the Directory's configuration (
Confluence Admin >> User Directories >> edit the directory >> Advanced Settings
)
or, - Changing the Base DN in the Directory's configuration to match the group's DN casing (for the example above, we will need to change the base DN to
dc=Example,dc=Com
)