Hello,
I have Jemh configured to create new users without interactive login privileges from their email addresses. Currently these users are showing up in my LDAP directory. I would like to place these users in the Jira Internal directory. How do I change the directory these users are created in? Thanks,
-Michael
Hi Michael, so let me clarify some things;
LDAP directories are generally readonly, JEMH does not write directly to LDAP and uses JIRA to create user accounts, I would 'expect' JEMH created users to be created on the internal directory if anywhere. Do you mean these users are showing up in addition to LDAP users via the aggregated Manage Users view?
A scenario I can see that could explain this thinking is that those LDAP users are registered in the LDAP user repository and have their email mapped. When JEMH processes the message, it asks JIRA to find the related user, JIRA does this by scanning its Directories in the order they are configured (within JIRA) - https://confluence.atlassian.com/display/JIRA/Managing+Multiple+Directories
So, JEMH will likely 'find' these users in LDAP if you have LDAP configured (at all), and will use them, their 'group membership' or lack of can be a combination of internal JIRA groups and LDAP groups, depends how you have things setup?
If you have a subset of JIRA users who are exected to have right-to-use, and the rest who are not, and are expected to just use email via JEMH, then, you need to configure appropriate LDAP filters to include/exclude as appropriate, eg by setting the User DN sufficiently down the tree to include only the subset you want.
Then, jemh wont find the users that already exist, and will create new ones. But. Why? if you have those users in LDAP, use them, the problem is?
Thats what so puzzling. The users definately do not exist in the LDAP database.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
But you said: Currently these users are showing up in my LDAP directory.
JEMH cant create users in LDAP repos, they will be created in the internal JIRA user repo.
Check the internal JIRA tables:
- https://developer.atlassian.com/display/JIRADEV/Database+Schema#DatabaseSchema-Userdetails
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Here is a screenshot to illustrate the issue. This user was created by JEMH but does not exist in ldap.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hmm, I think this is a vaguery of the User Browser. The 'user' will exist in JIRA tables, try the following query:
SELECT id, directory_id, user_name, email_address FROM cwd_user;
If this shows the above user, and the directory ID is 1, its the internal JIRA system, not ldap. Its created a user because thats what you configured JEMH to do, and its not in LDAP, as I said above.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Andy,
The Jemh created user names are showing in directory_id 10000 which is the AD user list, not the Jira internal database.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Interesting, do you have an identity management glue in the middle, eg crowd, or is this a JIRA and LDAP only config? Back to the original point, JIRA is not likely to create new entries in LDAP. If you have enabled JEMH to create accounts, it will do so, and the normal home for that is the internal directory. Perhaps your configuration is causing entries to appear in other places, but I guarantee, they arent in LDAP (or are they, already? Get an LDAP browser tool and search for one of these users...)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It is just Jira to AD in Read Only mode. I understand that Jira isn't editing the LDAP db (it cant my AD login doesn't have that permission). It's just odd that the accounts are associated with LDAP instead of the internal DB. I am concerned this may cuase issues down the road as use of the server grows and if we need to tie the Jemh created users into another system.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
K, I can see that, please log a support ticket and screenshot your JIRA User Directory details.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.