I have Jemh configured to create new users without interactive login privileges from their email addresses. Currently these users are showing up in my LDAP directory. I would like to place these users in the Jira Internal directory. How do I change the directory these users are created in? Thanks,
Hi Michael, so let me clarify some things;
LDAP directories are generally readonly, JEMH does not write directly to LDAP and uses JIRA to create user accounts, I would 'expect' JEMH created users to be created on the internal directory if anywhere. Do you mean these users are showing up in addition to LDAP users via the aggregated Manage Users view?
A scenario I can see that could explain this thinking is that those LDAP users are registered in the LDAP user repository and have their email mapped. When JEMH processes the message, it asks JIRA to find the related user, JIRA does this by scanning its Directories in the order they are configured (within JIRA) - https://confluence.atlassian.com/display/JIRA/Managing+Multiple+Directories
So, JEMH will likely 'find' these users in LDAP if you have LDAP configured (at all), and will use them, their 'group membership' or lack of can be a combination of internal JIRA groups and LDAP groups, depends how you have things setup?
If you have a subset of JIRA users who are exected to have right-to-use, and the rest who are not, and are expected to just use email via JEMH, then, you need to configure appropriate LDAP filters to include/exclude as appropriate, eg by setting the User DN sufficiently down the tree to include only the subset you want.
Then, jemh wont find the users that already exist, and will create new ones. But. Why? if you have those users in LDAP, use them, the problem is?
But you said: Currently these users are showing up in my LDAP directory.
JEMH cant create users in LDAP repos, they will be created in the internal JIRA user repo.
Check the internal JIRA tables:
Hmm, I think this is a vaguery of the User Browser. The 'user' will exist in JIRA tables, try the following query:
SELECT id, directory_id, user_name, email_address FROM cwd_user;
If this shows the above user, and the directory ID is 1, its the internal JIRA system, not ldap. Its created a user because thats what you configured JEMH to do, and its not in LDAP, as I said above.
Interesting, do you have an identity management glue in the middle, eg crowd, or is this a JIRA and LDAP only config? Back to the original point, JIRA is not likely to create new entries in LDAP. If you have enabled JEMH to create accounts, it will do so, and the normal home for that is the internal directory. Perhaps your configuration is causing entries to appear in other places, but I guarantee, they arent in LDAP (or are they, already? Get an LDAP browser tool and search for one of these users...)
It is just Jira to AD in Read Only mode. I understand that Jira isn't editing the LDAP db (it cant my AD login doesn't have that permission). It's just odd that the accounts are associated with LDAP instead of the internal DB. I am concerned this may cuase issues down the road as use of the server grows and if we need to tie the Jemh created users into another system.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot