Ignoring disabled users in LDAP Active Directory

Hi,

Our Jira and LDAP Active Directory (Microsoft) are integrated.

As a company policy, we never delete users from our AD, but disable them.

However, in Jira I see all users (both enabled and disabled).

How do I configure my Jira to ignore disabled users?

Thanks,

Janiv.

2 answers

1 accepted

Accepted Answer
13 votes
David Simpson Community Champion Jun 05, 2012

You could perhaps filter by the LDAP attribute userAccountControl...

Based on Microsoft Support's explanation:

The attribute that holds this information is the userAccountControl attribute. This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies userAccountControl with the UF_ACCOUNTDISABLED bit set would resemble this:

(!(UserAccountControl:1.2.840.113556.1.4.803:=2))

...would be all accounts that are not disabled.

So, in JIRA Admin | Users | User Directories

Select your AD configuration then expand the User Schema Settings heading

In the User Object Filter field, paste something like...

(&(objectCategory=Person)(sAMAccountName=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

This is the default filter for AD with the additional filter added.

Or the selected field here:

Thanks,

Where do I put this string in Jira?>

Thanks again,

David Simpson Community Champion Jun 05, 2012

See the update above

The interesting question is how to disable Jira users which are disabled in active directory (to see them as disabled)

Where does the syntax (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) come from? What is the meaning of those numbers? Active Directory has a normal looking syntax with named flags, shouldn't we be able to use something like (!(UserAccountControl & UF_ACCOUNTDISABLE = UF_ACCOUNTDISABLE)) or, lacking symbolic bitmasks, (!(UserAccountControl & 0x02 = 0x02))?

@Andrew Eldredge those numbers are object identifiers.  You can't find more info here: https://technet.microsoft.com/en-us/library/cc961749.aspx

I already tried this and ended up having bigger problems: this filter removes people from the LDAP results and due to this Jira will remove all their group memberhips. That's by (bad) design, and even if the account is re-enabled, the users group membership is not going to be restored.

If jira would just diable the users it would be OK, but that's not what it really does.

Note: this is also happening if they forgot to change their password every 3 months! Try to scale the problem to >100 users and you are already a doomed jira admin.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Sep 18, 2018 in Jira

What modern development practices are at the heart of how your team delivers software?

Hey Community mates! Claire here from the Software Product Marketing team. We all know software development changes rapidly, and it's often tough to keep up. But from our research, we've found the h...

26,098 views 2 7
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you