We've recently installed Crowd in our Test environment, which has Bitbucket (BB), JIRA, and Confluence. We've created a Delegated AD directory in Crowd, and we can manually add AD/LDAP-based users to that Directory. We'd like to use this Directory for ALL of the apps, so we only have to create users in one Directory, and so that groups are consistent across all apps.
We added 12 users to Crowd, and put all of them into a "bitbucket-users" group.
We created an Application for BB in Crowd, and configured it so that only members of the bitbucket-users group can log into the Application. We then linked BB to this Crowd Directory/Application, and the users can login. Removing a user from the bitbucket-users group (and re-sync'ing the Dir inside BB) prevents the user from logging in. Up that point, everything seemed to work exactly as as wanted.
However, after removing some users from the bitbucket-users group as described above, the BB license count does NOT go down. Since BB can see the whole Crowd Directory (12 users), it's assigning licenses to all 12 of them. However, only 10 of them can login, after removing 2 of them from the bitbucket-users group.
We need BB to only consume 10 licenses (the # of users in the bitbucket-users group, i.e., the # of users who can actually login), and to NOT consume a license for every user in the Directory. We have 250 BB licenses, and 2000 Confluence licenses, but if we add our 2000 Confluence users to the same Directory (using different groups), BB will still see those 2000 users and we'll be over our license limit.
I'm hoping that I'm missing something, but if not, I see some options, none of which I love:
is there anything I'm missing, or better ways to do this? How do others setup their Crowd Directories and Applications?
Currently the list of groups defined for the application in Crowd limits which users can authenticate, but doesn't impact synchronisation (i.e. all users and groups from the directories assigned to the application will be synchronised). There's a feature request to change this behaviour here. Please have a look, vote for it and comment with your use case.
In the interim you should be able to keep using a shared directory by making sure that only the 'bitbucket-users' group has the 'Bitbucket User' global permission in Bitbucket Server. This will cause only users that are members of that group to consume a license in Bitbucket, while other users will not. See here for more details on configuring global permissions in Bitbucket Server.
Thanks, you're right. I wasn't watching the "Bitbucket User" global permission closely enough. Several of the folks I was removing from the bitbucket-users group were also directly in the "Bitbucket User" global permissions as admins, so removing them from the group was not affecting the license count since they still had global permissions.
Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs