I'm running Jira 6.2.3. My instance is set up for LDAP authentication to Active Directory. The instance is read-only.
The problem is trying to remove jira-administrators. I'm a domain admin and have removed the users that shouldn't have admin access from the global security group jira-administrators in AD. When I force Jira to sync with AD, those users remain in Jira as jira-administrators.
Add/removing users from any other global security group works as expected when synced with jira. The added show up in Jira after I've added them to AD, and they're gone from those jira groups when I remove them from their respective AD groups.
The only group that the users are hanging on to in jira is jira-administrators.
I could manually delete them from cwd_members, but I'm not sure what the repurcussions would be if I did that.
Anyone have any idea what I've screwed up?
I've disabled the delta-sync to run a full sync. That didn't work, either. I know that my LDAP filters are set up correctly because the jira-administrators group is located in the same CN as jira-developers and jira-users. Both of those groups are updating properly.
Start with a look at the directories. Jira has an internal one as well as importing external ones.
One thing that might be happening is that you are set up in LDAP and internally, and both accounts are in jira-administrators. If you remove yourself from the LDAP directory group, that's fine, and it's probably working, but when Jira is looking for admins, it's finding a pointer to you in the internal group that it's now reading because it can't find you in LDAP!
In other words, check the directory entries!
The other thing is that Jira absolutely requires at least one admin, so it will ignore LDAP removal if you're the last admin standing...
Jira is using AD first. In any case, there are only two administrators in the Crowd "jira-administrators" group. There are 7 accounts showing up in the LDAP "jira-administrators" group, including the two of us that are in that group in crowd.
I suppose I could just disable the crowd directory entirely. If it causes a problem, I'm using MySQL workbench to access the DB directly anyway. I could always re-enable it and reset authentication order.
Obviously, I'm not the last man standing.
I added a new group called "jira-sysadmin" which I've promoted to system administrator in Jira. Jira updated flawlessly after the AD sync to bring that group in.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot