removing system administrators

Brian Bagent May 16, 2014

I'm running Jira 6.2.3. My instance is set up for LDAP authentication to Active Directory. The instance is read-only.

The problem is trying to remove jira-administrators. I'm a domain admin and have removed the users that shouldn't have admin access from the global security group jira-administrators in AD. When I force Jira to sync with AD, those users remain in Jira as jira-administrators.

Add/removing users from any other global security group works as expected when synced with jira. The added show up in Jira after I've added them to AD, and they're gone from those jira groups when I remove them from their respective AD groups.

The only group that the users are hanging on to in jira is jira-administrators.

I could manually delete them from cwd_members, but I'm not sure what the repurcussions would be if I did that.

Anyone have any idea what I've screwed up?

2 answers

0 votes
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 16, 2014

Start with a look at the directories. Jira has an internal one as well as importing external ones.

One thing that might be happening is that you are set up in LDAP and internally, and both accounts are in jira-administrators. If you remove yourself from the LDAP directory group, that's fine, and it's probably working, but when Jira is looking for admins, it's finding a pointer to you in the internal group that it's now reading because it can't find you in LDAP!

In other words, check the directory entries!

The other thing is that Jira absolutely requires at least one admin, so it will ignore LDAP removal if you're the last admin standing...

Brian Bagent May 16, 2014

Jira is using AD first. In any case, there are only two administrators in the Crowd "jira-administrators" group. There are 7 accounts showing up in the LDAP "jira-administrators" group, including the two of us that are in that group in crowd.

I suppose I could just disable the crowd directory entirely. If it causes a problem, I'm using MySQL workbench to access the DB directly anyway. I could always re-enable it and reset authentication order.

Obviously, I'm not the last man standing.

I added a new group called "jira-sysadmin" which I've promoted to system administrator in Jira. Jira updated flawlessly after the AD sync to bring that group in.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 16, 2014

Yes, I'd try disabling the Crowd directory next, that would at least tell you if I've got the right idea.

Everything else you're doing is exactly what I'd be doing as well, I think you're going in the right direction

Brian Bagent May 16, 2014

Disabling crowd didn't help. I'll restart the service early tomorrow. I suppose that it could be some sort of server caching issue.

Brian Bagent May 21, 2014

I raised a ticket with Atlassian. When I get an answer from them, I'll post it here.

0 votes
Brian Bagent May 16, 2014

I've disabled the delta-sync to run a full sync. That didn't work, either. I know that my LDAP filters are set up correctly because the jira-administrators group is located in the same CN as jira-developers and jira-users. Both of those groups are updating properly.

Suggest an answer

Log in or Sign up to answer