Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Jira LDAP Duplicated users

Hi

 

Actually, we have our users in 3 diferents groups in LDAP. In this one there are more groups and users. But we want only the users from these 3 groups.

Our problem become when some users are in 2 groups at the same time, because they are developers but testers too. 

The problem is these users appear two times in UserPicker fields, but they are only one time in our users list. 

 

What I would like to know is how I can fix that, because I have only one user called "Jorge" but It shows two. 

1 answer

1 accepted

0 votes
Answer accepted
Andy Heinzer Atlassian Team Jun 04, 2019

Hi Jorge,

Sorry to hear there is a problem here.  Sounds like Jira has duplicated the user account in the process of syncing that user data into Jira's own cwd_user table of the database.   However I don't think it should be doing that.  Could you let me know what specific version of Jira Server this is? 

I would also be interested to learn more about your user directory configuration within Jira itself.  It is possible that this could be resolved with an adjustment to the configuration of that user directory within Jira.   Specifically, I would be interested to learn the exact syntax you are using for the user object filter. 

What kind of LDAP server is being used here?  Is this openldap or Active Directory or some other variant?   

Andy

We're Using Active Directory, Jira 8.1.0.

The filter we use on users is:

(memberOf=CN=Inlogiq-Tecnica,OU=Inlogiq,OU=Grupos de Permisos,DC=red,DC=local)

This is for pic users in "Inlogiq-Tecnica".

Then we use this other filter: 

(memberOf=CN=Inlogiq-Proyectos,OU=Inlogiq,OU=Grupos de Permisos,DC=red,DC=local)

The problem is some users are in both groups, and some only in one. The users who are in both groups just are duplicated in user piker fields as I said before.

I don't know too much about LDAP so I can tell you more

Andy Heinzer Atlassian Team Jun 06, 2019

Hi Jorge,

Thanks for this additional information here.  Just to clarify some more, did you create two different user directories in Jira in order to achieve this?   I suspect that you might have, and if that is the case then the behavior here could be technically expected.

Jira is treating each user directory as it's own logical entity.  While you could use nearly the same settings between two different user directories, Jira is segmenting these as different user accounts because they actually are.   Instead of doing it this way, my suggestion would be to try to incorporate both sets of users into the same logical user directory.  This way Jira won't have to perform 2 separate sync operations and it should help us to avoid duplicating users.  

To do this, I recommend checking out our KB on How to write LDAP search filters.  Specifically the very bottom of that page has some AD specific examples for being able to grab users that might exist and any of 4 different groups:

This will search for users who are a member of any or all the 4 groups (fire, wind,water,heart)

(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=fire,ou=users,dc=company,dc=com)(memberOf=cn=wind,ou=users,dc=company,dc=com)(memberOf=cn=water,ou=users,dc=company,dc=com)(memberOf=cn=heart,ou=users,dc=company,dc=com)))

 

I think we can adapt that example to make your user object filter looks something like this:

(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=Inlogiq-Tecnica,OU=Inlogiq,OU=Grupos de Permisos,DC=red,DC=local)(memberOf=CN=Inlogiq-Proyectos,OU=Inlogiq,OU=Grupos de Permisos,DC=red,DC=local)))

With a single filter like this in one of the directory configurations, you should then be able to disable the other user directory in Jira.  Once Jira can sync again with the changed directory configuration, both sets of users should then exist in the same user directory.   You might need to also make sure that the groups that grant these users access still exist in this altered user directory, or else the users of one directory won't be able to login to Jira.

I hope this helps.

Andy

But one of our problems is, we use 3 different conections to the same LDAP because the users from first one are directly in the jira-software group, and then, the users from the second one are service-desk agents. That's why we created 3 conections. 

Andy Heinzer Atlassian Team Jun 10, 2019

Hi Jorge,

I'm not sure I follow.  The part I am suggesting to change the configuration on is just how Jira determines which user objects to sync over.  The granting of application access is still determined by a user's membership to specific groups that grant that access.  By default those group names are jira-software-users and jira-servicedesk-users for examples, but you could also have other group names that grant application access.  More details in Licensing and application access.

The approach I suggest here is to simply create a single user object filter that gathers all these user objects once, and then disable the other user directories.  I don't expect that this would actually change the user's group memberships here.  Although perhaps it is possible.   Is the Group object filter different between these 3 directories?  Or is it exactly the same?  Perhaps there are more complexities to your LDAP settings here that I do not fully comprehend yet.  I am interested to better understand your configuration here to better help.

Perhaps you can share your directory configuration summary with us.  You can find this under the User Management -> User Directories -> Directory Configuration Summary  or the URL /plugins/servlet/embedded-crowd/support/directories

Andy 

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you