I have a Stash server configured with external User Directory (Active Directory). It worked fine. I can see a lot of our users in Stash (/Administration/User) and they can log in into the Stash.
But now a new user was created in our AD and Stash can't find him. I run full synchronization, restarted Stash. Nothing helps. Evething is good, no errors but no user in Stash.
How can I diagnose what is wrong with synchronization in Stash?
Some more details on my configuration. The missing user is located under the same node in AD as other ones. And it has the same userClass (user) and objectCategory (Person).I can see the user in AD with Apache Directory Studio. I can find it with the filter used by Stash ( "(&(objectCategory=Person)(sAMAccountName=*))").
I really can't see any difference between "good users" and the "bad one".
Turn off "Manage User Status Locally" option in Advanced Settings in "Configure LDAP User Directory" and re-run synch.
Stash with enabled "Manage User Status Locally" option cache users' status (enabled\disabled) forever. For example during first synch when Stash found a user he was disabled so Stash creates in internal DB a user record with IS_ACTIVE='F' flag and do not change it anymore. Even after that the user is enabled in LDAP he is still disabled in Stash. Disabled users are not shown in Administration/Users, so the only way to find out user's status is to look in DB:
select * from cwd_user where directory_id = 229377 and lower_user_name = 'jsmith';
Are you using delegated authentication? If so, ask the user to login once.
If not, check if the missing user and others are in the same groups or not. You can also check the user filter and group filter settings under Advanced settings of the directory configuration.
In Administration/Users I see all users even those who did't login ever. The missing user can't login (it's normal as he is missing in Stash). I believe that extracting users from the Directory should NOT depend on user' group membership. I provided the filter for users ("User Object Filter") in my question.
"I believe that extracting users from the Directory should NOT depend on user' group membership. ". It is not - by default but you have the option to do that if you want. Worth checking if someone added a group filter or not. Did you check the groups of the missing user and compared him with others?
I'm not sure that I understand you. "Group filter" is a filter for extracting group (un Groupd Schema Settings) is it? Or you're referring something else? I Groups memberships are differrent indeed. It's ok as different users are included in different groups, it's very hard to compare. They are should not be identical. All AD users automatically are included in local stash-users group.
Ah sorry, I got confused myself. Yes, you only need to worry about the user filter for missing users. I can't figure out anything wrong from the settings you attached. If it is not delegated auth, users should come across as long as they are under the correct base dn.
This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.Read more
Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda ...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs