Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

managing expired ldap users with JIRA+embedded crowd

Alex Holtz
AlexH
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 10, 2012

The embedded crowd built into JIRA 4.3+ is fantastic as far as creating new users go, but it seems to fall short as far as managing disabled/expired accounts.

For example, I tend to use a user filter similiar to this when integrating applications with ActiveDirectory: 

(&(&(&(&(objectClass=user)(objectCategory=person)(extensionAttribute3=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))))(sAMAccountName=*))

This filter excludes expired/terminated users; Users become disabled in ActiveDirectory, JIRA dutifully removes these users the next time it syncs, and then proceeds to throw error messages when you try to manipulate objects that rely on those users, such as projects with a null project lead or projects with a null user in a project role.

After much back and forth, Atlassian's support channel (a junior support engineer) basically told me they have no solution for this problem and I should open a feature request asking for JIRA to handle null users more appropriately.

It seems like I need to go back to using a filter that does not exclude disabled/expired AD accounts and resume managing the active jira user list by pruning users from groups via weekly scripts. And hance 50% of the benefit of the embedded crowd goes out the window...

Has anyone else come up with a more successful method of automating user cleanup with embedded crowd + JIRA?

Answer
Watch
Like # people like this
310 views

2 answers

0 votes
Alex Holtz
AlexH
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 1, 2012

I switched to using a filter that looks like this:

(&(objectClass=user)(objectCategory=person)(mail=*)(sn=*)(givenName=*)(lastLogonTimestamp>=1)(sAMAccountName=*))

This way disabled/termed users don't drop out of the crowd sync, and between the need to have a mail, sn, givenName and having logged into AD at least once most of our non-user AD accounts are pruned out so they don't show up in JIRA.

I also use another AD group that all employees are added to to grant permission in our permissions schemes.

It's not an ideal solution, but so far it's working okay. I'd be nice if JIRA had better handling of "null" users though because even with these settings we sometimes still stumble across a null user in a projectAdmin role that causes the whole role editor to become so confused you can't edit anything until you create a dummy user with the same username.

Reply
0 votes
MaximeC
MaximeC January 15, 2012

Hi Alex,

I think I've got the same problem that you. I notice this behaviour, during my last upgrade (from JIRA 3.11 to JIRA 4.4 + crowd 2.2.1).... I don't know how to manage theses users and to get my jira as previously (clean data for project role)... I don't have any answer, however I am really interrested if you find the method.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events