How to filter expired LDAP-accounts?

Hello!

We use the corporate Active Directory as the fount of authentication for both JIRA and Confluence. This works fairly well except for one problem... When a user's account expires in AD (such as because he was a consultant hired for predetermined amount of time), JIRA does not know about it...

They would not be able to actually login, but it remains possible to assign tickets to them, for example – causing confusion and irritation among remaining users.

How can I make JIRA skip expired accounts, when synchronizing with AD?

5 answers

This widget could not be displayed.

I don't have a really perfect solution for you but here a little bit hacky one:

Define a filter like this:

(&(objectCategory=person)(objectClass=user)(|(accountExpires>=127818648000000000)(accountExpires=0)))

where 127818648000000000 is the timestamp of now (http://www.rlmueller.net/Programs/DateToInteger8.txt)

from time to time you must recalculate and replace this value with the new current time (better programmatically )

sorry for not having a more elegant solution but maybe I just don't know the AD ldap queries not good enough 

For some reason, accountExpires field is not returned by our AD...

This widget could not be displayed.

PLEASE someone answer this. I have the same thing... *sigh*

This widget could not be displayed.

Try rating my question up -- maybe, that will catch somebody's attention...

This widget could not be displayed.

How exactly you disable accounts in your Active Directory? Doesn't this user becomes inactive in Jira?

This widget could not be displayed.

Андрій, one way to disable an account in AD is to explicitly mark it as such. This will change the value of the LDAP-visible field `userAccountControl`. This is easy enough to do -- just alter the LDAP filter used by the directory-synchronization. (See [this page|http://blogs.msdn.com/b/muaddib/archive/2008/10/08/query-individual-properties-of-the-useraccountcontrol-active-directory-user-property.aspx] for example.) Another way a user may become inactive in AD is by "expiring" -- if an account-expiration date was entered into AD, when the account was created, it will become inactive automatically on that date. How to detect _that_, is what I am asking here.

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted Wednesday in New to Jira

Are you planning to trial, or are currently trialling Jira Software? - We want to talk to you!

Hello! I'm Rayen, a product manager at Atlassian. My team and I are working hard to improve the trial experience for Jira Software Cloud. We are interested in   talking to 20 people planning t...

143 views 2 0
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you