There is a confluence install (5.1.3) configured to use two directories:
IT guys in our organization are using Active Directory to manage about 5-10k users.
Some user -let's say user John Smith "jsmith"- left the company some time ago. He wrote some content in confluence and when the IT people locked and delete his account, the content appeared as written by "jsmith" (instead of "Smith, John" while the user was still active in LDAP).
After some time, a new user called "Jack Smith", with login (=samAccountName) jsmith joined the company. Now, we have a problem ... All the content generated by John Smith some years ago is shown as generated by Jack Smith. There are no email notifications in our confluence install, but Im pretty sure that if they were active, the emails would be sent to Jack (despite Jack can't log in because jsmith was removed from confluence-users when John left the company).
In one sentence: confluence is telling us (incorrectly) that some content is authored by Jack Smith.
How can we work around this weird behaviour? I think that is a conflict between the confluence ldap config and the IT user management policies ...
Can we (confluence admins) change the User Directories config to avoid this?
Should they (LDAP admins) leave the users locked and NOT recycle it-s username when a person leave the company?
Is there any best practice to manage this scenario?
we have a big directory server with > 100.000 users and I think it is best practise not reuse the userid.
I personally would write a script that renames the autor of the pages to something like "deleted_USERNAME". It#s not the best solution but you could work around the issue of two seperate persons with the same username.
Confluence recognize owner of a content based on the username. When the user jsmith was deleted from the AD server, the content that he created still exist inside the database. These content is no longer accessible throught the Confluence UI. When another user with the same username is created in the AD or the internal directory, Confluence will recognize this user as the owner of those content thus giving him the permission to those content.
Normally you won't be able to delete the user from the internal directory that have created some content, this is to prevent this issue from happening. But this restriction is not apply to the AD server.
The best practice is to delete the content of the user after he is disable or remove. You can refer to this document for the step to do this https://confluence.atlassian.com/display/CONFKB/How+Do+I+Remove+a+User+Who+Has+Content+Created
Yes, you should tell them to avoid recycling username. Currently, there is no way to avoid this issue if you plan to recycle the username when there the previous username owner content still exists. We have created a feature request https://jira.atlassian.com/browse/CONF-4063 for a function that can be used by the administrator to change the name. In order for this feature to be implemented, confluence must no longer used username as a reference for the content therefore it will indirectly solve this issue as well.
I would suggest you to vote for this feature request.
Do you use templates with Confluence? Take part in a remote 1-hr workshop. You'll receive USD $100 for your time! We're looking for people to participate in a remote 1-hr workshop...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs