removing system administrators

I'm running Jira 6.2.3. My instance is set up for LDAP authentication to Active Directory. The instance is read-only.

The problem is trying to remove jira-administrators. I'm a domain admin and have removed the users that shouldn't have admin access from the global security group jira-administrators in AD. When I force Jira to sync with AD, those users remain in Jira as jira-administrators.

Add/removing users from any other global security group works as expected when synced with jira. The added show up in Jira after I've added them to AD, and they're gone from those jira groups when I remove them from their respective AD groups.

The only group that the users are hanging on to in jira is jira-administrators.

I could manually delete them from cwd_members, but I'm not sure what the repurcussions would be if I did that.

Anyone have any idea what I've screwed up?

2 answers

I've disabled the delta-sync to run a full sync. That didn't work, either. I know that my LDAP filters are set up correctly because the jira-administrators group is located in the same CN as jira-developers and jira-users. Both of those groups are updating properly.

0 votes

Start with a look at the directories. Jira has an internal one as well as importing external ones.

One thing that might be happening is that you are set up in LDAP and internally, and both accounts are in jira-administrators. If you remove yourself from the LDAP directory group, that's fine, and it's probably working, but when Jira is looking for admins, it's finding a pointer to you in the internal group that it's now reading because it can't find you in LDAP!

In other words, check the directory entries!

The other thing is that Jira absolutely requires at least one admin, so it will ignore LDAP removal if you're the last admin standing...

Jira is using AD first. In any case, there are only two administrators in the Crowd "jira-administrators" group. There are 7 accounts showing up in the LDAP "jira-administrators" group, including the two of us that are in that group in crowd.

I suppose I could just disable the crowd directory entirely. If it causes a problem, I'm using MySQL workbench to access the DB directly anyway. I could always re-enable it and reset authentication order.

Obviously, I'm not the last man standing.

I added a new group called "jira-sysadmin" which I've promoted to system administrator in Jira. Jira updated flawlessly after the AD sync to bring that group in.

Yes, I'd try disabling the Crowd directory next, that would at least tell you if I've got the right idea.

Everything else you're doing is exactly what I'd be doing as well, I think you're going in the right direction

Disabling crowd didn't help. I'll restart the service early tomorrow. I suppose that it could be some sort of server caching issue.

I raised a ticket with Atlassian. When I get an answer from them, I'll post it here.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Jan 08, 2019 in Jira

How to Jira for designers

I’m a designer on the Jira team. For a long time, I’ve fielded questions from other designers about how they should be using Jira Software with their design team. I’ve also heard feedback from other ...

1,149 views 5 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you