Switching authenticaiton type from LDAP to internal delegated LDAP

Dear experts,

We've got a production Stash server set up to authorize users via LDAP. The registration is as easy as logging in for the first time. But such ease is already starting to impact our license count.

So it was decided to restrict this by switching to another authentication method - delegated LDAP on the same global directory.

But there are lots (hundreds) of registered users already, all of them having certain access permissions.

What would be the most correct and less painful way of changing the authentication method? My biggest concern is to keep the list of current users with all their settings, i.e. they should under no circumstances be "forgotten" by the server.

Thank you in advance.

2 answers

1 accepted

0 votes
Answer accepted

Hi Max,

The safest way is to create a new user directory using delegated LDAP and disabling, but not deleting your old directory. This will prevent the existing users from being marked as deleted, retain all existing settings and still stop the directory from synchronizing new users.

The steps:

  1. Optional: Create a sysadmin user in the internal user directory so you can always login as a sysadmin if things go wrong.
  2. Take a backup of the system before you begin
  3. Set up your new user directory based on delegated LDAP authentication
  4. Change the order of your user directories to make the new delegated LDAP directory come before your old one.
  5. Disable the old user directory.
  6. Verify that things work as expected. Create a test user in LDAP and verify that you can login to Stash as that user. Verify that existing users can still login and that they have retained their permissions and SSH keys.


Michael, When I disable the "old" directory, all users from it just disappear from the users list, and I'm afraid they should be all created in Stash anew if I want them authenticated via the delegated LDAP. This isn't what I expected. Just to clarify: the LDAP directory is one and the same in the both cases (the "old" pure LDAP and "new" delegated LDAP), so I would expect Stash to somehow take over the existing accounts and just authorize them via LDAP. However if I leave them both - even with the "new" above the "old" in the list - users just keep on self-registering as before.

Hi Michael,

Thank you for the detailed instruction!

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Mar 14, 2019 in Bitbucket Pipelines

Building a Bitbucket Pipe as a casual coder

...ipe.sh :  #!/bin/bash source "$(dirname "$0")/common.sh" enable_debug extra_args="" if [[ "${DEBUG}" == "true" ]]; then extra_args="--verbose" fi # mandatory variables R...

247 views 0 12
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you