Get product advice from experts

Ask a question →

Join a community group

Find a group →

Advance your career with learning paths

Take a free class →

Earn badges and rewards

Connect and share ideas at events

See the calendar →

Community
Products
Jira Software
Questions
Ignoring disabled users in LDAP Active Directory

Ignoring disabled users in LDAP Active Directory

Hi,

Our Jira and LDAP Active Directory (Microsoft) are integrated.

As a company policy, we never delete users from our AD, but disable them.

However, in Jira I see all users (both enabled and disabled).

How do I configure my Jira to ignore disabled users?

Thanks,

Janiv.

2 answers

1 accepted

15 votes

Answer accepted

You could perhaps filter by the LDAP attribute userAccountControl...

Based on Microsoft Support's explanation:

The attribute that holds this information is the userAccountControl attribute. This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies userAccountControl with the UF_ACCOUNTDISABLED bit set would resemble this:

(!(UserAccountControl:1.2.840.113556.1.4.803:=2))

...would be all accounts that are not disabled.

So, in JIRA Admin | Users | User Directories

Select your AD configuration then expand the User Schema Settings heading

In the User Object Filter field, paste something like...

(&amp;(objectCategory=Person)(sAMAccountName=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

This is the default filter for AD with the additional filter added.

Or the selected field here:

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thanks,

Where do I put this string in Jira?>

Thanks again,

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

See the update above

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

The interesting question is how to disable Jira users which are disabled in active directory (to see them as disabled)

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Where does the syntax (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) come from? What is the meaning of those numbers? Active Directory has a normal looking syntax with named flags, shouldn't we be able to use something like (!(UserAccountControl & UF_ACCOUNTDISABLE = UF_ACCOUNTDISABLE)) or, lacking symbolic bitmasks, (!(UserAccountControl & 0x02 = 0x02))?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

@Andrew Eldredge those numbers are object identifiers. You can't find more info here: https://technet.microsoft.com/en-us/library/cc961749.aspx

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

1 vote

I already tried this and ended up having bigger problems: this filter removes people from the LDAP results and due to this Jira will remove all their group memberhips. That's by (bad) design, and even if the account is re-enabled, the users group membership is not going to be restored.

If jira would just diable the users it would be OK, but that's not what it really does.

Note: this is also happening if they forgot to change their password every 3 months! Try to scale the problem to >100 users and you are already a doomed jira admin.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Reply

Suggest an answer

Log in or Sign up to answer

Was this helpful?

Thanks!

TAGS

Community showcase