We're using crowd with a Delegated LDAP directory. The problem is that there are a lot more users in our domain than need access to our atlassian suite (and more than our crowd license count). But people will occasionally try to log into something anyway, and then it automatically creates a user in crowd for them, eating up a license, even though they shouldn't have access to anything. Is there a way to disable this "feature"?
The Crowd LDAP delegated directory will see all users in LDAP returned by the ldap connection query. This does not mean that they will count towards your license.
"Licensing fees are quoted per total number of 'Crowd users'. A Crowd user is defined as any user account that can authenticate against one or more applications. "
and
"Crowd licenses are based on the number of end-users who will log in to the applications that are integrated with Crowd."
If the users are not mapped to an application they are not counted, only when they can authenticate to an application do they become active.
So if you restrict Authentication to groups as along as the groups are controlled, it should not be an issue.
But i think your referring to the per application settings that enable account creation on succesful login, if one does not already exist. In pre 4.3. Jira the ldap connection needed a local Jira account as well, so unless one existed the login would not work. So there was the option to creat the local account on succesful login.
It may be a variant of this behaviour you are experiencing, if so i'm sure this is configurable at the application level, what applications are you running and at what versions?
We're running the latest of Jira and Confluence. As you point out, the users that count towards the license limit would need to have access to an app, so this is actually fine for us.
Thanks.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Same issue for us. It is not the actual number of users with log in rights that I'm 'concerned' with. It is more the lack of usability when the connector give me all AD users in the two different AD groups my actual users are located in - total number of AD users is about 400 - total number of actual users using Crowd and related applications - < 50. So I have to navigate all 400 in order to find the 50 that I need.
I have removed some, but they will come back on next sync, so I've stopped doing that.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi All,
We are also facing this issue wherein users are automatically added to crowd, we are using Crowd 2.4, though they never count towards license as you need to be part group for that but still importing such a large list of users by crowd from ldap just doesn't make sense.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi there,
Just want to confirm that we do have an improvement request regarding this issue and workaround is provided in it:
https://jira.atlassian.com/browse/CWD-3554
Hope it helps.
Cheers,
Septa Cahyadiputra
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi All,
We are also facing this issue wherein users are automatically added to crowd, we are using Crowd 2.4, though they never count towards license as you need to be part group for that but still importing such a large list of users by crowd from ldap just doesn't make sense.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Rob,
It's quite easy, we have the same setup with Crowd backing Jira/Confluence/Build Servers. We're in a small business unit (3000) in a larger company (10s of 1000s) and we only allow about 2000 users access to the Atlassian tools.
e.g. for a list of jira-users from a specific directory, change the ID to by the index number of your directory.
select display_name, lower_email_address, lower_user_name from "CROWD"."dbo"."cwd_membership" ms, cwd_user where ms.lower_child_name=cwd_user.user_name and parent_name='jira-users' and cwd_user.directory_id=4 order by lower_user_name;
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We've got "Allow All to Authenticate" disabled, but it still adds users to crowd.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.