Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Microsoft Active Directory and User migration

Deleted user January 5, 2018

I hope I can describe this issue properly, if not, please clarify with me so we can have clear picture. 

  1. we have one team doing data migration from an old bug tracking system to jira software (will be the latest version 7.6.2)
  2. we have another team dealing with LDAP, so the user active directory sync setup correctly and we get what we need for user list from corporate, login tested, fine. 

the problem here is -

take an example: 

  1. quan is the user id in old bug tracking system, with quan@email   address;   
  2. quan is the user id in LDAP, with same email address quan@email;

after data migration,  we see in jira -

  1. quan as an internal user somehow, with the correct email
  2. quan as ldap sync user , WITHOUT any email

we need quan can login by its corporate password. right now,  no quan can login unless we delete the internal one. we see 'twins', cannot choose the right one, either. After all quan is the same person using same address. 

please advise us how properly manage this situation. I only think about the order to do 1,2 matters, but not sure. 

many thanks in advance

Answer
Watch
Like Be the first to like this
421 views

2 answers

0 votes
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 5, 2018

With Jira there are a few rules that happen when dealing with multiple user directories.  It might also help to take a look at the documentation on Managing multiple directories in order to better understand these.

If you have multiple user directories in Jira, and each of them contain the same user name(s), then the directory ordered at the top within Jira takes precedence.  Hence if the username 'quan' exists in both directories, say with a different password for each directory, the username 'quan' will only be able to login to Jira in the top ordered directory that contains that user account.

However let's say that username 'bob' does not exist in the top ordered directory such as an LDAP directory.  If 'bob' does exist in the lower ordered directory, such as the internal directory to Jira, then 'bob' can still login to Jira, but it would be with the password set in the Jira internal directory for that user.

If adding the LDAP account did not bring in the email address, then there is likely something wrong with the attribute in the directory configuration that should be bringing that value into Jira.  I would recommend reviewing the Connecting To an LDAP directory doc, specifically the User Schema Settings.   Depending on the different kinds of LDAP directories, the attribute used to find the email addresses could be different than what Jira is currently set to look for.

Jira Server does not base the uniqueness of the account on the email address, but rather the username itself.   Jira Cloud does this a bit differently, in Jira Cloud the uniqueness of the account is requiring the user to have a unique email address that also could be their username in Cloud.

View More Comments
Deleted user January 5, 2018

is there meaning we must have AD one on top of internal directory in order to ensure every one using own id/pwd and later any changes onto pwd can be effective ? 

your 'bob' case we cannot produce since we don't know what would be its password set in internal directory. 

 

Another case with 'restore'

adding LDAP account before 'restore' or doesn't matter ? 

'restore' did update or overwrite the user directory ? 

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 5, 2018

Most instances tend to have their LDAP/AD user directory on top in Jira.  Mostly because it contains the majority of their users.   But you are not required to do this.  It really depends on where most of your users exist right now, and what credentials you expect these users to use in order to login to Jira.

If you were not using an LDAP user directory, and you only had the Jira internal user directory, then you would have to create that user in Jira directly.  When you do this, you do this as an admin, you get to specify the password for that account at that time.

If you are doing a complete system restore (with the XML backup), that process completely wipes the existing database.   So it doesn't make sense to add in the LDAP directory to Jira before this restore, since all those users and the settings would be removed by the restore process itself.

Like
Deleted user January 5, 2018

Thank you very much!  We will have a look at current settings to see anything we can adjust to prevent odd things happening :-)

Like
Deleted user January 5, 2018

by the way, I want to mention we run into problems twice when we restore zip onto a fresh jira where no ldap configured, but the zip file containing ldap information.  I raised a ticket in support site. 

in the past, we always have a site with ldap configured , sync okay, then restore on top of it, but some odd stuff appear :-( 

Like
Deleted user January 5, 2018

I believe the expect behaviour :  no matter what configured on a site, restore should be done successfully.  :-)

Like
Reply
0 votes
Gregory Van Den Ham
Gregory Van Den Ham
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 5, 2018

Hello, how many jira user directories do you have?  Is the ldap directory set to be first in the order of directories?

Take a look at the migrating documentation for directories.

View More Comments
Deleted user January 5, 2018

we have internal one and ldap one sync with MS AD

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events