Actually, we have our users in 3 diferents groups in LDAP. In this one there are more groups and users. But we want only the users from these 3 groups.
Our problem become when some users are in 2 groups at the same time, because they are developers but testers too.
The problem is these users appear two times in UserPicker fields, but they are only one time in our users list.
What I would like to know is how I can fix that, because I have only one user called "Jorge" but It shows two.
Sorry to hear there is a problem here. Sounds like Jira has duplicated the user account in the process of syncing that user data into Jira's own cwd_user table of the database. However I don't think it should be doing that. Could you let me know what specific version of Jira Server this is?
I would also be interested to learn more about your user directory configuration within Jira itself. It is possible that this could be resolved with an adjustment to the configuration of that user directory within Jira. Specifically, I would be interested to learn the exact syntax you are using for the user object filter.
What kind of LDAP server is being used here? Is this openldap or Active Directory or some other variant?
We're Using Active Directory, Jira 8.1.0.
The filter we use on users is:
(memberOf=CN=Inlogiq-Tecnica,OU=Inlogiq,OU=Grupos de Permisos,DC=red,DC=local)
This is for pic users in "Inlogiq-Tecnica".
Then we use this other filter:
(memberOf=CN=Inlogiq-Proyectos,OU=Inlogiq,OU=Grupos de Permisos,DC=red,DC=local)
The problem is some users are in both groups, and some only in one. The users who are in both groups just are duplicated in user piker fields as I said before.
I don't know too much about LDAP so I can tell you more
Thanks for this additional information here. Just to clarify some more, did you create two different user directories in Jira in order to achieve this? I suspect that you might have, and if that is the case then the behavior here could be technically expected.
Jira is treating each user directory as it's own logical entity. While you could use nearly the same settings between two different user directories, Jira is segmenting these as different user accounts because they actually are. Instead of doing it this way, my suggestion would be to try to incorporate both sets of users into the same logical user directory. This way Jira won't have to perform 2 separate sync operations and it should help us to avoid duplicating users.
To do this, I recommend checking out our KB on How to write LDAP search filters. Specifically the very bottom of that page has some AD specific examples for being able to grab users that might exist and any of 4 different groups:
This will search for users who are a member of any or all the 4 groups (fire, wind,water,heart)
I think we can adapt that example to make your user object filter looks something like this:
(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=Inlogiq-Tecnica,OU=Inlogiq,OU=Grupos de Permisos,DC=red,DC=local)(memberOf=CN=Inlogiq-Proyectos,OU=Inlogiq,OU=Grupos de Permisos,DC=red,DC=local)))
With a single filter like this in one of the directory configurations, you should then be able to disable the other user directory in Jira. Once Jira can sync again with the changed directory configuration, both sets of users should then exist in the same user directory. You might need to also make sure that the groups that grant these users access still exist in this altered user directory, or else the users of one directory won't be able to login to Jira.
I hope this helps.
I'm not sure I follow. The part I am suggesting to change the configuration on is just how Jira determines which user objects to sync over. The granting of application access is still determined by a user's membership to specific groups that grant that access. By default those group names are jira-software-users and jira-servicedesk-users for examples, but you could also have other group names that grant application access. More details in Licensing and application access.
The approach I suggest here is to simply create a single user object filter that gathers all these user objects once, and then disable the other user directories. I don't expect that this would actually change the user's group memberships here. Although perhaps it is possible. Is the Group object filter different between these 3 directories? Or is it exactly the same? Perhaps there are more complexities to your LDAP settings here that I do not fully comprehend yet. I am interested to better understand your configuration here to better help.
Perhaps you can share your directory configuration summary with us. You can find this under the User Management -> User Directories -> Directory Configuration Summary or the URL /plugins/servlet/embedded-crowd/support/directories
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events