Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Stash can't see a new user in Active Directory

Sergei Dorogin
Sergei Dorogin
Contributor
June 3, 2015

I have a Stash server configured with external User   Directory (Active Directory). It worked fine.  I can see a lot of our users in Stash (/Administration/User) and they can log in into the Stash.

But now a new user was created in our AD and Stash can't find him. I run full synchronization, restarted Stash. Nothing helps. Evething is good, no errors but  no user in Stash.

How can I diagnose what is wrong with synchronization in Stash?

 

Some more details on my configuration. The missing user is located under the same node in AD as other ones. And it has the same userClass (user) and objectCategory (Person).I can see the user in AD with Apache Directory Studio. I can find it with the filter used by Stash ( "(&(objectCategory=Person)(sAMAccountName=*))").

I really can't see any difference between "good users" and the "bad one".

Answer
Watch
Like Steffen Opel _Utoolity_ likes this
1607 views

3 answers

1 accepted

1 vote
Answer accepted
Sergei Dorogin
Sergei Dorogin
Contributor
June 4, 2015

The solution:

Turn off "Manage User Status Locally" option in Advanced Settings in "Configure LDAP User Directory" and re-run synch.

The cause:

Stash with enabled "Manage User Status Locally" option cache users' status (enabled\disabled) forever. For example during first synch when Stash found a user he was disabled so Stash creates in internal DB a user record with IS_ACTIVE='F' flag and do not change it anymore. Even after that the user is enabled in LDAP he is still disabled in Stash. Disabled users are not shown in Administration/Users, so the only way to find out user's status is to look in DB:

select * from cwd_user where directory_id = 229377 and lower_user_name = 'jsmith';

Reply
0 votes
Sergei Dorogin
Sergei Dorogin
Contributor
June 3, 2015

Here's my LDAP settings:

stash_ldap_config.jpg

Reply
0 votes
Jobin Kuruvilla [Adaptavist]
Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 3, 2015

Are you using delegated authentication? If so, ask the user to login once.

If not, check if the missing user and others are in the same groups or not. You can also check the user filter and group filter settings under Advanced settings of the directory configuration.

View More Comments
Sergei Dorogin
Sergei Dorogin
Contributor
June 3, 2015

In Administration/Users I see all users even those who did't login ever. The missing user can't login (it's normal as he is missing in Stash). I believe that extracting users from the Directory should NOT depend on user' group membership. I provided the filter for users ("User Object Filter") in my question.

Like
Jobin Kuruvilla [Adaptavist]
Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 3, 2015

"I believe that extracting users from the Directory should NOT depend on user' group membership. ". It is not - by default but you have the option to do that if you want. Worth checking if someone added a group filter or not. Did you check the groups of the missing user and compared him with others?

Like
Sergei Dorogin
Sergei Dorogin
Contributor
June 3, 2015

I'm not sure that I understand you. "Group filter" is a filter for extracting group (un Groupd Schema Settings) is it? Or you're referring something else? I Groups memberships are differrent indeed. It's ok as different users are included in different groups, it's very hard to compare. They are should not be identical. All AD users automatically are included in local stash-users group.

Like
Jobin Kuruvilla [Adaptavist]
Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 3, 2015

Ah sorry, I got confused myself. Yes, you only need to worry about the user filter for missing users. I can't figure out anything wrong from the settings you attached. If it is not delegated auth, users should come across as long as they are under the correct base dn.

Like
Balázs Szakmáry
Balázs Szakmáry
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 3, 2015

Agree with Jobin, the user is probably excluded by the user filter. Check the user's LDAP record against the filter.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events