This document outlines how to go about constructing a more sophisticated filter for the User Object Filter and Group Object Filter attributes in your LDAP configuration for Atlassian applications.
What is a filter
Filters can be used to restrict the numbers of users or groups that are permitted to access an application. In essence, the filter limits what part of the LDAP tree the application syncs from.
A filter can and should be written for both user and group membership. This ensures that you are not flooding your application with users and groups that do not need access.
When constructing a filter it is best to pick a common attribute of the set of users you want to allow access to the application. This is most often the attribute that denotes group membership or anobjectClasslike "Person"
The attribute used to denote membership in a group is not common to all flavors of LDAP. Examples of this attribute can be "groupMembership" or "Member"
How do I match more than one attribute?
For example, if my users are distinguished by having two objectClass attributes (one equal to 'person' and another to 'user'), this is how I would match for it:
ampersand symbol '&' symbol at the start. Translated this means: search for objectClass=person AND object=user.
Translated this means: search for objectClass=person OR object=user.
pipe symbol '|' denotes 'OR'. As this is not a special XML character, it should not need escaping.
This means: search for all entries that have objectClass=user AND cn that contains the word 'Marketing'.
Wildcards are unable to be used infiltersusing ! (or NOT) logical operators. See below
How do I match 3 attributes?
Just add an extra clause:
Extra clauses can be added for more than three attributes too.
Matching Components of Distinguished Names
As Microsoft Active Directory does not implement extensible matching, the following examples won't work with it.
You may want to match part of a DN, for instance when you need to look for your groups in two subtrees of your server.
will find groups with an OU component of their DN which is either 'Chicago' or 'Miami'.
To exclude entities which match an expression, use '!'.
will find all Chicago groups except those with a Wrigleyville OU component.
Note the extra parentheses: (!(<expression>))
Note that if using 'not' (ie. '!' to exclude objects) it must be represented as the entity '!' in your XML file if you are using Confluence 3.4 or below.
For Confluence 3.4 and below, once you have constructed your search filter using this document, you must escape the ampersand symbol and the exclamation mark symbol before adding to your XML file. So for example;
Refer to this external documentation on other XML characters that need escaping.becomes
These filters are written for Active Directory. In order to use them for something suchasOpenLDAP the attributes will need to be changed.
This will only synchronise users in the 'CaptainPlanet' group - this should be applied to the User Object Filter:
And this will search for users that are a member of this group, either directly or via nesting:
Important for Active Directory to have memberOf:1.2.840.1135126.96.36.1991 if you want to find nested groups (do not replace the numeric string) inside CaptainPlanet group.
This will search for users who are a member of any or all the 4 groups (fire, wind,water,heart)