Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Fixing user migration between 4.1.2 and 5.1 - duplicate records between internal and ldap directories

Gregory Joseph1
Gregory Joseph February 15, 2013

Hi,

When migration from 4.1.2, I decided to take advantage of the improved LDAP support. In our 4.1.2 instance, we were using LDAP for authentication, with users being replicated in Jira, and group membership maintained in Jira.

The upgrade guide does mention that the osuser.xml file should be there for the migration to happen properly, but for some reason I overlooked that when migrating (I did so many tests before...). I ended up re-creating the LDAP directory in the migrated instance.

Things work relatively smoothly, BUT there are some quirks. In particular, users that exist in both directories are inconsistent in their group memberships. In the user browser, if I search by group, selecting a jira-group, users will be listed because they were members of that group in the previous instance, although the details of that user do not show that group anymore.

I am not too far from having a script to fix this - at least, I have a script which detects the inconsistencies. Now, I am wondering if

- Atlassian provides a tool for that ? (Could I perhaps re-run that one specific migration task manually ?)

- If not, could someone confirm that, provided that group memberships are fine, I can go ahead and delete the user records on the internal directory ? Is using com.atlassian.crowd.manager.directory.DirectoryManager.removeUser(dirId, userName) is the right way to go ? I'm a little wary of using non-public APIs of course.

Answer
Watch
Like Be the first to like this
372 views

3 answers

1 accepted

2 votes
Answer accepted
pkirkeby
pkirkeby
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 18, 2013

I would suggest using the Script Runner plugin to merge users:

- https://marketplace.atlassian.com/plugins/com.onresolve.jira.groovy.groovyrunner

This should solve your duplicate user records and make user management a easier moving forward:)

Cheers,

Pelle

View More Comments
Gregory Joseph1
Gregory Joseph February 18, 2013

That's indeed what I'm using, but silly me didn't think of looking at the built-in scripts !

Like
Reply
1 vote
Yilin
Yilin
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 16, 2013

I think you can simply switch the order of the user directory to let the LDAP user directory in the first place as JIRA only take in account the user directory in the priority place.

In case that you're user name in lower case is the same between two user directory and you wish to reuse the same setting in the internal user directory, you can try the following query (do not forget to take a backup before ): 

Run the following SQL statements (case sensitive for the name string):

 Remove the possible duplicated user account:

    delete from cwd_user where directory_id=(select id from cwd_directory where directory_name='LDAP server');

    Remove the possible duplicated user attributes:

    delete from cwd_user_attributes where directory_id=(select id from cwd_directory where directory_name='LDAP server');

    Remove the possible duplicated membership:

    delete from cwd_membership where directory_id=(select id from cwd_directory where directory_name='LDAP server') and membership_type='GROUP_USER';

    Migrate the user account to the new user directory:

    update cwd_user set directory_id=(select id from cwd_directory where directory_name='LDAP server'),credential='nopass' where directory_id=(select id from cwd_directory where directory_name='Delegated LDAP Authentication');

    Update the user account attributes:

    update cwd_user_attributes set directory_id=(select id from cwd_directory where directory_name='LDAP server') where directory_id=(select id from cwd_directory where directory_name='Delegated LDAP Authentication');

    Migrate groups to the new user directory and change the property:

    update cwd_group set local=1,directory_id=(select id from cwd_directory where directory_name='LDAP server') where directory_id=(select id from cwd_directory where directory_name='Delegated LDAP Authentication');

    Migrate the membership setting to the new user directory:

    update cwd_membership set directory_id=(select id from cwd_directory where directory_name='LDAP server') where directory_id=(select id from cwd_directory where directory_name='Delegated LDAP Authentication') and membership_type='GROUP_USER';

    Please be aware that after these steps, all user belong to the user directory Delegated LDAP Authentication will be migrated to the user directory LDAP server.

View More Comments
Gregory Joseph1
Gregory Joseph February 18, 2013

Hey Momo,

Thanks for the reply. The directories are in the "correct" order (ldap on top).

Thanks for the queries. I felt more comfortable using APIs to achieve this, but I'll have a look at your queries and see how that goes.

Thanks again.

Like
Reply
0 votes
Gregory Joseph1
Gregory Joseph February 24, 2013

using com.atlassian.crowd.manager.directory.DirectoryManager.removeUser(dirId, userName) did indeed work, but some metadata went missing, such as the login count. I was able to salvage some of that by using sql directly. Since our users were already using the new instance anyway, I had to add the values from their 2 user records; only did it for a handful - and really only for the login count attribute. If I had to re-do the migration, I guess having the osuser.xml in place would help, and if not, the whole thing could be scripted and made cleaner if done before people starting using it.

Perhaps I could have dug a little deeper in the Jira sources to see what happens when osuser.xml is present at the time of the upgrade.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events