Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How do I stop a delegated directory from automatically adding LDAP users?

Rob Wiskow1
Rob Wiskow July 6, 2011

We're using crowd with a Delegated LDAP directory. The problem is that there are a lot more users in our domain than need access to our atlassian suite (and more than our crowd license count). But people will occasionally try to log into something anyway, and then it automatically creates a user in crowd for them, eating up a license, even though they shouldn't have access to anything. Is there a way to disable this "feature"?

Answer
Watch
Like Colin Goudie likes this
2528 views

4 answers

1 accepted

3 votes
Answer accepted
Martin Cooper3
Martin Cooper
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 6, 2011

The Crowd LDAP delegated directory will see all users in LDAP returned by the ldap connection query. This does not mean that they will count towards your license.

"Licensing fees are quoted per total number of 'Crowd users'. A Crowd user is defined as any user account that can authenticate against one or more applications. "

and

"Crowd licenses are based on the number of end-users who will log in to the applications that are integrated with Crowd."

If the users are not mapped to an application they are not counted, only when they can authenticate to an application do they become active.

So if you restrict Authentication to groups as along as the groups are controlled, it should not be an issue.

But i think your referring to the per application settings that enable account creation on succesful login, if one does not already exist. In pre 4.3. Jira the ldap connection needed a local Jira account as well, so unless one existed the login would not work. So there was the option to creat the local account on succesful login.

It may be a variant of this behaviour you are experiencing, if so i'm sure this is configurable at the application level, what applications are you running and at what versions?

View More Comments
Rob Wiskow1
Rob Wiskow July 7, 2011

We're running the latest of Jira and Confluence. As you point out, the users that count towards the license limit would need to have access to an app, so this is actually fine for us.

Thanks.

Like
Ivar
Ivar
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 2, 2011

Same issue for us. It is not the actual number of users with log in rights that I'm 'concerned' with. It is more the lack of usability when the connector give me all AD users in the two different AD groups my actual users are located in - total number of AD users is about 400 - total number of actual users using Crowd and related applications - < 50. So I have to navigate all 400 in order to find the 50 that I need.

I have removed some, but they will come back on next sync, so I've stopped doing that.

Like
Tarun Sapra
Tarun Sapra
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
July 21, 2014

Hi All,

We are also facing this issue wherein users are automatically added to crowd, we are using Crowd 2.4, though they never count towards license as you need to be part group for that but still importing such a large list of users by crowd from ldap just doesn't make sense.

Like
Reply
0 votes
Septa Cahyadiputra
Septa Cahyadiputra
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 9, 2015

Hi there,

Just want to confirm that we do have an improvement request regarding this issue and workaround is provided in it:

https://jira.atlassian.com/browse/CWD-3554

Hope it helps.

Cheers,
Septa Cahyadiputra 

Reply
0 votes
Tarun Sapra
Tarun Sapra
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
July 21, 2014

Hi All,

We are also facing this issue wherein users are automatically added to crowd, we are using Crowd 2.4, though they never count towards license as you need to be part group for that but still importing such a large list of users by crowd from ldap just doesn't make sense.

Reply
0 votes
MatthewC
MatthewC
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 6, 2011

Hi Rob,

It's quite easy, we have the same setup with Crowd backing Jira/Confluence/Build Servers. We're in a small business unit (3000) in a larger company (10s of 1000s) and we only allow about 2000 users access to the Atlassian tools.

  1. Login to Crowd
  2. Select Applications
  3. Select one of the Atlassian apps
  4. Select the directories tab
  5. Next to your delegated LDAP directory, change the "Allow All to Authenticate" to "False"
  6. Then select the Groups tab, add in your jira-users, confluence-users (or whatever) from the delegated LDAP directory (and it has to be this directory, not a same named group in another directory)
  7. Make sure all your existing users are a member of thsi group. If you don't know who these are, you can a list using some SQL on the Crowd DB.
  8. Repeat for your other apps

e.g. for a list of jira-users from a specific directory, change the ID to by the index number of your directory.

select display_name, lower_email_address, lower_user_name from "CROWD"."dbo"."cwd_membership" ms, cwd_user where ms.lower_child_name=cwd_user.user_name and parent_name='jira-users' and cwd_user.directory_id=4 order by lower_user_name;

View More Comments
Rob Wiskow1
Rob Wiskow July 6, 2011

We've got "Allow All to Authenticate" disabled, but it still adds users to crowd.

Like Charlie Misonne likes this
Reply

Suggest an answer

Log in or Sign up to answer
Crowd
Crowd
TAGS
AUG Leaders

Atlassian Community Events

    See all events