Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira LDAP Duplicated users

Jorge Jerez
Jorge Jerez June 3, 2019

Hi

 

Actually, we have our users in 3 diferents groups in LDAP. In this one there are more groups and users. But we want only the users from these 3 groups.

Our problem become when some users are in 2 groups at the same time, because they are developers but testers too. 

The problem is these users appear two times in UserPicker fields, but they are only one time in our users list. 

 

What I would like to know is how I can fix that, because I have only one user called "Jorge" but It shows two. 

Answer
Watch
Like Be the first to like this
1707 views

1 answer

1 accepted

0 votes
Answer accepted
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 4, 2019

Hi Jorge,

Sorry to hear there is a problem here.  Sounds like Jira has duplicated the user account in the process of syncing that user data into Jira's own cwd_user table of the database.   However I don't think it should be doing that.  Could you let me know what specific version of Jira Server this is? 

I would also be interested to learn more about your user directory configuration within Jira itself.  It is possible that this could be resolved with an adjustment to the configuration of that user directory within Jira.   Specifically, I would be interested to learn the exact syntax you are using for the user object filter. 

What kind of LDAP server is being used here?  Is this openldap or Active Directory or some other variant?   

Andy

View More Comments
Jorge Jerez
Jorge Jerez June 5, 2019

We're Using Active Directory, Jira 8.1.0.

The filter we use on users is:

(memberOf=CN=Inlogiq-Tecnica,OU=Inlogiq,OU=Grupos de Permisos,DC=red,DC=local)

This is for pic users in "Inlogiq-Tecnica".

Then we use this other filter: 

(memberOf=CN=Inlogiq-Proyectos,OU=Inlogiq,OU=Grupos de Permisos,DC=red,DC=local)

The problem is some users are in both groups, and some only in one. The users who are in both groups just are duplicated in user piker fields as I said before.

I don't know too much about LDAP so I can tell you more

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 6, 2019

Hi Jorge,

Thanks for this additional information here.  Just to clarify some more, did you create two different user directories in Jira in order to achieve this?   I suspect that you might have, and if that is the case then the behavior here could be technically expected.

Jira is treating each user directory as it's own logical entity.  While you could use nearly the same settings between two different user directories, Jira is segmenting these as different user accounts because they actually are.   Instead of doing it this way, my suggestion would be to try to incorporate both sets of users into the same logical user directory.  This way Jira won't have to perform 2 separate sync operations and it should help us to avoid duplicating users.  

To do this, I recommend checking out our KB on How to write LDAP search filters.  Specifically the very bottom of that page has some AD specific examples for being able to grab users that might exist and any of 4 different groups:

This will search for users who are a member of any or all the 4 groups (fire, wind,water,heart)

(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=fire,ou=users,dc=company,dc=com)(memberOf=cn=wind,ou=users,dc=company,dc=com)(memberOf=cn=water,ou=users,dc=company,dc=com)(memberOf=cn=heart,ou=users,dc=company,dc=com)))

 

I think we can adapt that example to make your user object filter looks something like this:

(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=Inlogiq-Tecnica,OU=Inlogiq,OU=Grupos de Permisos,DC=red,DC=local)(memberOf=CN=Inlogiq-Proyectos,OU=Inlogiq,OU=Grupos de Permisos,DC=red,DC=local)))

With a single filter like this in one of the directory configurations, you should then be able to disable the other user directory in Jira.  Once Jira can sync again with the changed directory configuration, both sets of users should then exist in the same user directory.   You might need to also make sure that the groups that grant these users access still exist in this altered user directory, or else the users of one directory won't be able to login to Jira.

I hope this helps.

Andy

Like
Jorge Jerez
Jorge Jerez June 7, 2019

But one of our problems is, we use 3 different conections to the same LDAP because the users from first one are directly in the jira-software group, and then, the users from the second one are service-desk agents. That's why we created 3 conections. 

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 10, 2019

Hi Jorge,

I'm not sure I follow.  The part I am suggesting to change the configuration on is just how Jira determines which user objects to sync over.  The granting of application access is still determined by a user's membership to specific groups that grant that access.  By default those group names are jira-software-users and jira-servicedesk-users for examples, but you could also have other group names that grant application access.  More details in Licensing and application access.

The approach I suggest here is to simply create a single user object filter that gathers all these user objects once, and then disable the other user directories.  I don't expect that this would actually change the user's group memberships here.  Although perhaps it is possible.   Is the Group object filter different between these 3 directories?  Or is it exactly the same?  Perhaps there are more complexities to your LDAP settings here that I do not fully comprehend yet.  I am interested to better understand your configuration here to better help.

Perhaps you can share your directory configuration summary with us.  You can find this under the User Management -> User Directories -> Directory Configuration Summary  or the URL /plugins/servlet/embedded-crowd/support/directories

Andy 

Like
Mariano Lopez
Mariano Lopez November 6, 2020

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events