Get product advice from experts

Ask a question →

Join a community group

Find a group →

Advance your career with learning paths

Take a free class →

Earn badges and rewards

Connect and share ideas at events

See the calendar →

Community
Products
Jira Software
Questions
How to filter expired LDAP-accounts?

How to filter expired LDAP-accounts?

Hello!

We use the corporate Active Directory as the fount of authentication for both JIRA and Confluence. This works fairly well except for one problem... When a user's account expires in AD (such as because he was a consultant hired for predetermined amount of time), JIRA does not know about it...

They would not be able to actually login, but it remains possible to assign tickets to them, for example – causing confusion and irritation among remaining users.

How can I make JIRA skip expired accounts, when synchronizing with AD?

5 answers

1 vote

I don't have a really perfect solution for you but here a little bit hacky one:

Define a filter like this:

(&(objectCategory=person)(objectClass=user)(|(accountExpires>=127818648000000000)(accountExpires=0)))

where 127818648000000000 is the timestamp of now (http://www.rlmueller.net/Programs/DateToInteger8.txt)

from time to time you must recalculate and replace this value with the new current time (better programmatically )

sorry for not having a more elegant solution but maybe I just don't know the AD ldap queries not good enough

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

For some reason, accountExpires field is not returned by our AD...

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

0 votes

Андрій, one way to disable an account in AD is to explicitly mark it as such. This will change the value of the LDAP-visible field `userAccountControl`. This is easy enough to do -- just alter the LDAP filter used by the directory-synchronization. (See [this page|http://blogs.msdn.com/b/muaddib/archive/2008/10/08/query-individual-properties-of-the-useraccountcontrol-active-directory-user-property.aspx] for example.) Another way a user may become inactive in AD is by "expiring" -- if an account-expiration date was entered into AD, when the account was created, it will become inactive automatically on that date. How to detect _that_, is what I am asking here.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Reply

0 votes

How exactly you disable accounts in your Active Directory? Doesn't this user becomes inactive in Jira?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Reply

0 votes

Try rating my question up -- maybe, that will catch somebody's attention...

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Reply

0 votes

PLEASE someone answer this. I have the same thing... *sigh*

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Reply

Suggest an answer

Log in or Sign up to answer

Was this helpful?

Thanks!

TAGS

Community showcase