Fixing user migration between 4.1.2 and 5.1 - duplicate records between internal and ldap directories

Hi,

When migration from 4.1.2, I decided to take advantage of the improved LDAP support. In our 4.1.2 instance, we were using LDAP for authentication, with users being replicated in Jira, and group membership maintained in Jira.

The upgrade guide does mention that the osuser.xml file should be there for the migration to happen properly, but for some reason I overlooked that when migrating (I did so many tests before...). I ended up re-creating the LDAP directory in the migrated instance.

Things work relatively smoothly, BUT there are some quirks. In particular, users that exist in both directories are inconsistent in their group memberships. In the user browser, if I search by group, selecting a jira-group, users will be listed because they were members of that group in the previous instance, although the details of that user do not show that group anymore.

I am not too far from having a script to fix this - at least, I have a script which detects the inconsistencies. Now, I am wondering if

- Atlassian provides a tool for that ? (Could I perhaps re-run that one specific migration task manually ?)

- If not, could someone confirm that, provided that group memberships are fine, I can go ahead and delete the user records on the internal directory ? Is using com.atlassian.crowd.manager.directory.DirectoryManager.removeUser(dirId, userName) is the right way to go ? I'm a little wary of using non-public APIs of course.

3 answers

1 accepted

Accepted Answer
2 votes

I would suggest using the Script Runner plugin to merge users:

- https://marketplace.atlassian.com/plugins/com.onresolve.jira.groovy.groovyrunner

This should solve your duplicate user records and make user management a easier moving forward:)

Cheers,

Pelle

That's indeed what I'm using, but silly me didn't think of looking at the built-in scripts !

1 vote
Yilin Mo Atlassian Team Feb 16, 2013

I think you can simply switch the order of the user directory to let the LDAP user directory in the first place as JIRA only take in account the user directory in the priority place.

In case that you're user name in lower case is the same between two user directory and you wish to reuse the same setting in the internal user directory, you can try the following query (do not forget to take a backup before ):

Run the following SQL statements (case sensitive for the name string):

 Remove the possible duplicated user account:

    delete from cwd_user where directory_id=(select id from cwd_directory where directory_name='LDAP server');

    Remove the possible duplicated user attributes:

    delete from cwd_user_attributes where directory_id=(select id from cwd_directory where directory_name='LDAP server');

    Remove the possible duplicated membership:

    delete from cwd_membership where directory_id=(select id from cwd_directory where directory_name='LDAP server') and membership_type='GROUP_USER';

    Migrate the user account to the new user directory:

    update cwd_user set directory_id=(select id from cwd_directory where directory_name='LDAP server'),credential='nopass' where directory_id=(select id from cwd_directory where directory_name='Delegated LDAP Authentication');

    Update the user account attributes:

    update cwd_user_attributes set directory_id=(select id from cwd_directory where directory_name='LDAP server') where directory_id=(select id from cwd_directory where directory_name='Delegated LDAP Authentication');

    Migrate groups to the new user directory and change the property:

    update cwd_group set local=1,directory_id=(select id from cwd_directory where directory_name='LDAP server') where directory_id=(select id from cwd_directory where directory_name='Delegated LDAP Authentication');

    Migrate the membership setting to the new user directory:

    update cwd_membership set directory_id=(select id from cwd_directory where directory_name='LDAP server') where directory_id=(select id from cwd_directory where directory_name='Delegated LDAP Authentication') and membership_type='GROUP_USER';

    Please be aware that after these steps, all user belong to the user directory Delegated LDAP Authentication will be migrated to the user directory LDAP server.

Hey Momo,

Thanks for the reply. The directories are in the "correct" order (ldap on top).

Thanks for the queries. I felt more comfortable using APIs to achieve this, but I'll have a look at your queries and see how that goes.

Thanks again.

using com.atlassian.crowd.manager.directory.DirectoryManager.removeUser(dirId, userName) did indeed work, but some metadata went missing, such as the login count. I was able to salvage some of that by using sql directly. Since our users were already using the new instance anyway, I had to add the values from their 2 user records; only did it for a handful - and really only for the login count attribute. If I had to re-do the migration, I guess having the osuser.xml in place would help, and if not, the whole thing could be scripted and made cleaner if done before people starting using it.

Perhaps I could have dug a little deeper in the Jira sources to see what happens when osuser.xml is present at the time of the upgrade.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Sep 25, 2018 in Jira

Atlassian Research Workshop opportunity on Sep. 28th in Austin, TX

We're looking for participants for a workshop at Atlassian! We need Jira admins who have interesting custom workflows, issue views, or boards. Think you have a story to sha...

438 views 7 5
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you