Users do not retain LDAP group memberships due to POSIX LDAP or incorrect membership attribute

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Symptoms

Users can authenticate, but do not have their LDAP group memberships.

Diagnosis

This can be caused either by misconfiguration or by requiring POSIX.

  1. The most likely cause for this is an incorrect membership id in the LDAP configuration. To confirm, view a user or group's record. If the group contains a membershipUId, and the corresponding value is simply a username rather than a fully qualified DN, see resolution 1.

  2. This problem can also be caused by an incorrect membership attribute in the directory configuration, ie the membership attribute is configured as 'username', but in the LDAP itself the membership attribute is the DN. See resolution 2.

  3. If the membership settings are correct, this issue may be because you are using a POSIX LDAP repository. See resolution 3.

Resolution

Resolution 1 - Membership ID in LDAP

Confirm the attribute being used in the LDAP to link users to groups. If this is not the FQDN, change it so that it is.

Resolution 2 - Membership attribute in directory configuration

Check Connecting to an LDAP Directory, paying specific attention to the membership settings. Ensure that the membership attribute selected is the FQDN, and that that is also set in the LDAP itself.

Resolution 3 - POSIX directory

Confirm that you are using a POSIX directory schema. Edit the directory configuration, and set the type of LDAP connection to POSIX from the drop-down list of LDAP connection types, then resync.

Related Content

See Configuring an LDAP Directory Connector for more information on POSIX, and directory types.

Updated on April 8, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSymptomsDiagnosisResolutionRelated Content

Still need help?

The Atlassian Community is here for you.
Ask the Community