It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How do I stop a delegated directory from automatically adding LDAP users?

We're using crowd with a Delegated LDAP directory. The problem is that there are a lot more users in our domain than need access to our atlassian suite (and more than our crowd license count). But people will occasionally try to log into something anyway, and then it automatically creates a user in crowd for them, eating up a license, even though they shouldn't have access to anything. Is there a way to disable this "feature"?

4 answers

1 accepted

3 votes
Answer accepted

The Crowd LDAP delegated directory will see all users in LDAP returned by the ldap connection query. This does not mean that they will count towards your license.

"Licensing fees are quoted per total number of 'Crowd users'. A Crowd user is defined as any user account that can authenticate against one or more applications. "

and

"Crowd licenses are based on the number of end-users who will log in to the applications that are integrated with Crowd."

If the users are not mapped to an application they are not counted, only when they can authenticate to an application do they become active.

So if you restrict Authentication to groups as along as the groups are controlled, it should not be an issue.

But i think your referring to the per application settings that enable account creation on succesful login, if one does not already exist. In pre 4.3. Jira the ldap connection needed a local Jira account as well, so unless one existed the login would not work. So there was the option to creat the local account on succesful login.

It may be a variant of this behaviour you are experiencing, if so i'm sure this is configurable at the application level, what applications are you running and at what versions?

We're running the latest of Jira and Confluence. As you point out, the users that count towards the license limit would need to have access to an app, so this is actually fine for us.

Thanks.

Same issue for us. It is not the actual number of users with log in rights that I'm 'concerned' with. It is more the lack of usability when the connector give me all AD users in the two different AD groups my actual users are located in - total number of AD users is about 400 - total number of actual users using Crowd and related applications - < 50. So I have to navigate all 400 in order to find the 50 that I need.

I have removed some, but they will come back on next sync, so I've stopped doing that.

Tarun Sapra Community Leader Jul 21, 2014

Hi All,

We are also facing this issue wherein users are automatically added to crowd, we are using Crowd 2.4, though they never count towards license as you need to be part group for that but still importing such a large list of users by crowd from ldap just doesn't make sense.

Hi Rob,

It's quite easy, we have the same setup with Crowd backing Jira/Confluence/Build Servers. We're in a small business unit (3000) in a larger company (10s of 1000s) and we only allow about 2000 users access to the Atlassian tools.

  1. Login to Crowd
  2. Select Applications
  3. Select one of the Atlassian apps
  4. Select the directories tab
  5. Next to your delegated LDAP directory, change the "Allow All to Authenticate" to "False"
  6. Then select the Groups tab, add in your jira-users, confluence-users (or whatever) from the delegated LDAP directory (and it has to be this directory, not a same named group in another directory)
  7. Make sure all your existing users are a member of thsi group. If you don't know who these are, you can a list using some SQL on the Crowd DB.
  8. Repeat for your other apps

e.g. for a list of jira-users from a specific directory, change the ID to by the index number of your directory.

select display_name, lower_email_address, lower_user_name from "CROWD"."dbo"."cwd_membership" ms, cwd_user where ms.lower_child_name=cwd_user.user_name and parent_name='jira-users' and cwd_user.directory_id=4 order by lower_user_name;

We've got "Allow All to Authenticate" disabled, but it still adds users to crowd.

0 votes
Tarun Sapra Community Leader Jul 21, 2014

Hi All,

We are also facing this issue wherein users are automatically added to crowd, we are using Crowd 2.4, though they never count towards license as you need to be part group for that but still importing such a large list of users by crowd from ldap just doesn't make sense.

Hi there,

Just want to confirm that we do have an improvement request regarding this issue and workaround is provided in it:

https://jira.atlassian.com/browse/CWD-3554

Hope it helps.

Cheers,
Septa Cahyadiputra 

Suggest an answer

Log in or Sign up to answer
Community showcase
Asked in Opsgenie

CLOSED: AMA with Serhat Can on everything Opsgenie

Update: Our AMA with @Serhat Can is complete! Thank you everyone for taking the time to write your questions and participate, you are the folks that make the community enriching and fun! If...

616 views 15 7
View question

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you