LDAP User are not put automatically into LDAP group in jira

Question

I have Jira 5.x locally installed and an OpenLDAP Server with Users and Groups. The Syncronisation in Jira get all users and groups perfectly, but the users do not belong to any group. I've set the default groups to enable LDAP users to login to Jira.

What am I doing wrong?

This is the LDAP Schema:

dn: uid=demo.user@domain.com,ou=intern,ou=people,dc=company,dc=local
objectClass: posixAccount
objectClass: account
objectClass: ldapPublicKey
homeDirectory: /home/demouser
loginShell: /bin/bash
cn: Demo User
uidNumber: 10001
gidNumber: 10001
userPassword: {SSHA}xxxxxxxxxxx
uid: demo.user@domain.com


dn: cn=groupname,ou=project,ou=group,dc=company,dc=local
objectClass: posixGroup
description: a funny group for a project
gidNumber: 10018
cn: groupname
memberUid: demo.user@domain.com
memberUid: xyz
memberUid: ...

If I run the Test in Jira, I'm getting the following error Message:

Test get user's memberships with 0 groups retrieved. : Failed

And these are the Settings in Jira:

Answer 1

We experienced a similar problem. It seemed that JIRA insists on including the User Membership Attribute - which is from the user schema - such as "memberOf" regardless of whether you already have the Group Members Attribute. However it should be an either / or option - either Group Membership Attribute (eg. memberUid in the group schema) OR User Membership Attribute (eg. memberOf in the user schema), as they fulfill more or less the same function.

The problem was solved when we noticed there are actually two closely related options for the directory type: "OpenLDAP" and "OpenLDAP (Read-only Posix Schema)". As we were using the posixGroup schema (as in your example), choosing the Read-only Posix Schema solved the issue. If you go to the Server Settings section at the top, you should see both options in the drop down list.

In addition, you should be able to switch from "Read Only, with Local Groups" to "Read Only" in the LDAP Permissions section (if you wanted to). One caveat is that we were using the inetOrgPerson and shadowAccount schemas (rather than account, as in your example) in conjunction with posixAccount for the user schemas.