Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira randomly removed users from LDAP groups

Kelsey Collins
Kelsey Collins January 30, 2019

Looking in the Audit Log, Jira randomly removed users from a few different LDAP groups. Looking in Exchange, those users are still in the appropriate groups. What would be causing this? I tried synchronizing the LDAP and that didn't resolve the issue. 

Answer
Watch
Like Be the first to like this
1005 views

5 answers

0 votes
Andrej Freeze _ greenique
Andrej Freeze _ greenique
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 3, 2021

I have run into a similar situation. Production and Test environment share the same AD connection. Filters path's etc. are all the same. However in the production environment users were removed from groups that should not have been removed. In the testing environment only very few changes are appearing, that can be tracked down to actual changes that were performed to the active directory.

@Kelsey Collins have you been able to find out what caused the disruption in your system?

View More Comments
Andrej Freeze _ greenique
Andrej Freeze _ greenique
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 3, 2021

Okay I have been able to solve this without understand what originally caused the issue. But here is what I have done to the production environment:

  1. Navigate to the user directories and hit synchronize on the broken ldap connection.
  2. Check if everything was fixed, sadly in my case it was not.
  3. Edit the broken connection, test and save it without changing anything.
  4. Synchronize again and check if everything was fixed. And yes, this did the trick for us. 
Like
Reply
0 votes
CARLISLE
CARLISLE
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 1, 2019

I am a MSFT expert and MSFT ADMIN. More than likely the groups re-authenticate every day.

Exchange runs email and Active Directory runs the credential system. However, it seems that there is a new ghost user somewhere in your groups. I would check with the networking team or manager on the Active Directory side to see if the ghost user was created. The user credentials could be created/deleted just in JIRA and that change would be relevant just to the JIRA ADMIN team as they could allow a block of that user.

Were these users new employees, old employees, contractors, temp, or other staff? Was there a change in the Payroll system or something similar? Was there a change that needed to be transparent to you or your team from your Risk Management team? Did a job role change where the user did not need to know or use JIRA any longer?

Information regarding Users and User Directories including LDAP stuff is below in the KB:

https://confluence.atlassian.com/doc/configuring-user-directories-229838212.html

View More Comments
Kelsey Collins
Kelsey Collins February 1, 2019

The users removed are existing employees and there were no significant changes to the AD that I'm aware of but I'll check with our team that handles that. 

Like
LarryBrock
LarryBrock
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 7, 2019

@Kelsey Collins- was your AD Admin team of any help?

Like
Reply
0 votes
LarryBrock
LarryBrock
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 31, 2019

Hi @Kelsey Collins If the user was "Jira", then it's the automated sync process that's taking the action.  You said "Exchange" earlier and not AD.  I'm not a Microsoft expert but is it possible the group(s) you checked are not the actual groups being imported by Jira?  That would be the most likely source based on what I see in your posted information.  Cheers!

Reply
0 votes
Kelsey Collins
Kelsey Collins January 30, 2019

The audit log says the author was "Jira". 

Reply
0 votes
CARLISLE
CARLISLE
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 30, 2019

How many JIRA ADMINs do you have on site? An individual ADMIN might have move someone in the night?

 

The log should show which ADMIN whether a SPACE ADMIN or regular JIRA ADMIN moved the user/users. Is there a record in the log of which ADMIN removed someone?

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events