Stash can't see a new user in Active Directory

I have a Stash server configured with external User   Directory (Active Directory). It worked fine.  I can see a lot of our users in Stash (/Administration/User) and they can log in into the Stash.

But now a new user was created in our AD and Stash can't find him. I run full synchronization, restarted Stash. Nothing helps. Evething is good, no errors but  no user in Stash.

How can I diagnose what is wrong with synchronization in Stash?


Some more details on my configuration. The missing user is located under the same node in AD as other ones. And it has the same userClass (user) and objectCategory (Person).I can see the user in AD with Apache Directory Studio. I can find it with the filter used by Stash ( "(&(objectCategory=Person)(sAMAccountName=*))").

I really can't see any difference between "good users" and the "bad one".

3 answers

1 accepted

1 vote
Answer accepted

The solution:

Turn off "Manage User Status Locally" option in Advanced Settings in "Configure LDAP User Directory" and re-run synch.

The cause:

Stash with enabled "Manage User Status Locally" option cache users' status (enabled\disabled) forever. For example during first synch when Stash found a user he was disabled so Stash creates in internal DB a user record with IS_ACTIVE='F' flag and do not change it anymore. Even after that the user is enabled in LDAP he is still disabled in Stash. Disabled users are not shown in Administration/Users, so the only way to find out user's status is to look in DB:

select * from cwd_user where directory_id = 229377 and lower_user_name = 'jsmith';

0 votes

Are you using delegated authentication? If so, ask the user to login once.

If not, check if the missing user and others are in the same groups or not. You can also check the user filter and group filter settings under Advanced settings of the directory configuration.

In Administration/Users I see all users even those who did't login ever. The missing user can't login (it's normal as he is missing in Stash). I believe that extracting users from the Directory should NOT depend on user' group membership. I provided the filter for users ("User Object Filter") in my question.

"I believe that extracting users from the Directory should NOT depend on user' group membership. ". It is not - by default but you have the option to do that if you want. Worth checking if someone added a group filter or not. Did you check the groups of the missing user and compared him with others?

I'm not sure that I understand you. "Group filter" is a filter for extracting group (un Groupd Schema Settings) is it? Or you're referring something else? I Groups memberships are differrent indeed. It's ok as different users are included in different groups, it's very hard to compare. They are should not be identical. All AD users automatically are included in local stash-users group.

Ah sorry, I got confused myself. Yes, you only need to worry about the user filter for missing users. I can't figure out anything wrong from the settings you attached. If it is not delegated auth, users should come across as long as they are under the correct base dn.

Agree with Jobin, the user is probably excluded by the user filter. Check the user's LDAP record against the filter.

Here's my LDAP settings:


Suggest an answer

Log in or Sign up to answer
Community showcase
Published Thursday in Bitbucket Pipelines

Building a Bitbucket Pipe as a casual coder :  #!/bin/bash source "$(dirname "$0")/" enable_debug extra_args="" if [[ "${DEBUG}" == "true" ]]; then extra_args="--verbose" fi # mandatory variables ROLLBAR_ACCESS_TOKEN...

186 views 0 12
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you