How do I stop a delegated directory from automatically adding LDAP users?

We're using crowd with a Delegated LDAP directory. The problem is that there are a lot more users in our domain than need access to our atlassian suite (and more than our crowd license count). But people will occasionally try to log into something anyway, and then it automatically creates a user in crowd for them, eating up a license, even though they shouldn't have access to anything. Is there a way to disable this "feature"?

4 answers

1 accepted

The Crowd LDAP delegated directory will see all users in LDAP returned by the ldap connection query. This does not mean that they will count towards your license.

"Licensing fees are quoted per total number of 'Crowd users'. A Crowd user is defined as any user account that can authenticate against one or more applications. "

and

"Crowd licenses are based on the number of end-users who will log in to the applications that are integrated with Crowd."

If the users are not mapped to an application they are not counted, only when they can authenticate to an application do they become active.

So if you restrict Authentication to groups as along as the groups are controlled, it should not be an issue.

But i think your referring to the per application settings that enable account creation on succesful login, if one does not already exist. In pre 4.3. Jira the ldap connection needed a local Jira account as well, so unless one existed the login would not work. So there was the option to creat the local account on succesful login.

It may be a variant of this behaviour you are experiencing, if so i'm sure this is configurable at the application level, what applications are you running and at what versions?

We're running the latest of Jira and Confluence. As you point out, the users that count towards the license limit would need to have access to an app, so this is actually fine for us.

Thanks.

Same issue for us. It is not the actual number of users with log in rights that I'm 'concerned' with. It is more the lack of usability when the connector give me all AD users in the two different AD groups my actual users are located in - total number of AD users is about 400 - total number of actual users using Crowd and related applications - < 50. So I have to navigate all 400 in order to find the 50 that I need.

I have removed some, but they will come back on next sync, so I've stopped doing that.

Tarun Sapra Community Champion Jul 21, 2014

Hi All,

We are also facing this issue wherein users are automatically added to crowd, we are using Crowd 2.4, though they never count towards license as you need to be part group for that but still importing such a large list of users by crowd from ldap just doesn't make sense.

Hi Rob,

It's quite easy, we have the same setup with Crowd backing Jira/Confluence/Build Servers. We're in a small business unit (3000) in a larger company (10s of 1000s) and we only allow about 2000 users access to the Atlassian tools.

  1. Login to Crowd
  2. Select Applications
  3. Select one of the Atlassian apps
  4. Select the directories tab
  5. Next to your delegated LDAP directory, change the "Allow All to Authenticate" to "False"
  6. Then select the Groups tab, add in your jira-users, confluence-users (or whatever) from the delegated LDAP directory (and it has to be this directory, not a same named group in another directory)
  7. Make sure all your existing users are a member of thsi group. If you don't know who these are, you can a list using some SQL on the Crowd DB.
  8. Repeat for your other apps

e.g. for a list of jira-users from a specific directory, change the ID to by the index number of your directory.

select display_name, lower_email_address, lower_user_name from "CROWD"."dbo"."cwd_membership" ms, cwd_user where ms.lower_child_name=cwd_user.user_name and parent_name='jira-users' and cwd_user.directory_id=4 order by lower_user_name;

We've got "Allow All to Authenticate" disabled, but it still adds users to crowd.

0 vote
Tarun Sapra Community Champion Jul 21, 2014

Hi All,

We are also facing this issue wherein users are automatically added to crowd, we are using Crowd 2.4, though they never count towards license as you need to be part group for that but still importing such a large list of users by crowd from ldap just doesn't make sense.

Hi there,

Just want to confirm that we do have an improvement request regarding this issue and workaround is provided in it:

https://jira.atlassian.com/browse/CWD-3554

Hope it helps.

Cheers,
Septa Cahyadiputra 

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Maggie Roney
Published Feb 27, 2018 in Crowd

The Crowd team is looking for feedback on Server & Data Center customers' identity strategies!

Do you own more than one Server or Data Center product? Do you have challenges provisioning users across your Atlassian products? Are you spending a lot of time integrating each Atlassian product wit...

694 views 6 13
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you