LDAP connection and using different username than localpart

Thomas Schuchhardt November 1, 2017

our specific LDAP setup is managed by iRedMAil and iRedAdmin

users DNS look like dn: mail=user@domain.com,ou=Users,domainName=domain.com,o=domains,dc=domain,dc=com

groups are similarly also identified by mail adresses

is it possible to user just the username für synchronizing the users to jira and append `@domain.com` automatically?

and either way if that is possible or not, how can i transfer ISSUES and boards to different users?
the usernames would change like  this
username -> username@domain.com
preferable i would want to run a query that replaces all user references with the new users

on the other services like bitbucket there is not much data created so transfering users should be able to be done manually

1 answer

1 accepted

2 votes
Answer accepted
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 1, 2017

Hi Thomas,

I understand you want to change all the usernames in Jira from the format of just 'username' to 'username@example.com' and that your users in Jira are being managed in an LDAP directory that Jira is connected to.

This can be done if you are using a connected LDAP directory (a delegated LDAP directory in Jira does not handle this kind of user rename task).   The trick to making sure this works is to make sure that your LDAP directory in Jira has the correct value for the "User Unique ID Attribute:" field for this user directory.   For different LDAP types (AD/OpenLDAP/etc) this attribute can be different.  However the purpose of that field is to generate a unique value that corresponds to the account itself.  This way if the account is renamed in LDAP, when Jira syncs with the LDAP instance it can understand that this is the same account and in turn will rename the user account it has for that user.   Whereas if Jira does not have the correct attribute set here, when the sync happens after a user rename, Jira would instead create a new user account.   If the new user account is created, this is because Jira does not understand that a rename has happened, and instead it is just adding the user accounts found in the directory per the DN/user filters in place.   These LDAP attributes in Jira are also better explained in Connecting to an LDAP directory.

 

I also tried to highlight the critically important attributes on the directory in Jira as it pertains to this scenario:

Configure_LDAP_User_Directory_-_750_-_2017-11-01_11.57.23.png


It's important to make sure that the user rename that happens in LDAP is working correctly in Jira first.  I would suggest trying to rename a test account in LDAP first, and then syncing Jira just to make sure this change is taking place in the way you would expect it to, and not just creating a new user account.  Once that is complete, there are two different approaches you can take to try to rename all these accounts in Jira from username to username@example.com formats:

  1. You can actually attempt to rename the useraccounts in LDAP directly.  This would be to change the usernames to include the @example.com domain along with this.  This might not be the preferred method since it might effect other services using your LDAP instance for authentication/authorization.
  2. The other alternative would be to edit the user directory settings in Jira.   You could change the User Name Attribute to have the same value as the User Email Attribute.   This way when Jira Syncs with the directory the next time after this change, provided the user Unique ID Attribute is correct, Jira would see these are the same accounts and rename them appropriately (provided your LDAP directory actually has current values for these mail fields).

 

That said, I would still recommend that you test out this kind of change on a staging server first.   This kind of change has the potential to lock out all your users from Jira if this is not done correctly or you encounter any unexpected results.   If you don't have a staging server to test this on first, then I would recommend trying these steps:

 

  1. create a new LDAP directory in jira first with the same current settings,
  2. order this new directory higher than your current directory,
  3. perform a sync in Jira for this new directory,
  4. then make this change to the User name attribute,
  5. save these changes,
  6. and sync the new directory again.

If this works, you should be all set.  But if this doesn't work, then you should still be able to quickly revert these changes by re-ordering the old directory back to the higher order and syncing that once more.

Regards,
Andy

Dev_toolssupport April 3, 2019

Hi Andy,

Jira 7.13.1

I am facing similar problem but our LDAP setting is for 'delegated LDAP directory'. Which I understand, syncs with LDAP when user log into Jira.

We would like to change the username from '123456' to 'u123456'. Both these values map to LDAP Directory - 'employeenumber' and 'uid' respectively. 'uid' is also a unique id in LDAP.

We cannot touch LDAP, hence need to make this change in LDAP Directory form of Jira.

In Jira LDAP directory, the User Unique ID Attribute: entryUUID is wrong, hence it stores null in cwd_user table for column 'External_id'. It should be 'uid'. So I changed it to 'uid' and now can see the value in it as 'u123456' when user logs in with '123456'. Which is correct.

Now, I want to change the username from '123456' to 'u123456'.

For this User Name Attribute was changes from 'employeenumber' to 'uid' along with 2 other fields having 'employeenumber'.

User was asked to login with 'u123456' and he was successfully able to login. In database I could see app_user, cwd_use and cwd_membership table updated.

Now, I want to make this change for all users. Hence the obvious solution that appeared to me was to change in database the value of 'External_id' in table cwd_user from null to 'u123456' and restart Jira.

I did that and asked another user to login with 'u111111', but this time Jira considered him as a new user and started creating its profile.

Can you please help me what was wrong with my approach and how it can be corrected?

Thanks,

Imran

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 8, 2019

Hi Imran,

When you're using an Delegated LDAP directory in Jira, technically there is no syncing happening here.  Only when the user first attempts to login will Jira make a call back to the LDAP instance, just to see if that username and password pass authentication or not.  If it does, and this user exists in the user filter, the account can be added to Jira.  However this is not a synchronization of the user account data at that time of first login, it's merely a one time lookup for when the account can be first created in Jira. There is no mechanism to sync user account changes in a delegated directory.  This is explained in Synchronizing data from external directories.

Data caching and synchronization do not occur for the following user directory types:

  • Internal Directory with LDAP Authentication.
  • Internal Directory.

As such, there is no way that Jira can be expected to track username changes when the user account is coming from a delegated directory.

However if you were using a Connected LDAP directory, Jira does sync the users / groups here.  So if that account was in Jira, and the unique user identifier value was set to some value that does not change, then Jira could track this account rename provided Jira has a sync before and after the username changes in LDAP.

With this information you should be able to still get Jira to rename the user accounts, but you are going to need to use a non-delegated LDAP directory in order to do so, AND you would need to have this done before the changes happened in LDAP.

I hope this helps.

Andy

Suggest an answer

Log in or Sign up to answer