When a user is deleted from a user directory connected to Bitbucket as a delegated one (Delegating Bitbucket Server authentication to an LDAP directory), users are not removed automatically when they are disabled or deleted from the user directory.
From the documentation:
If you need to delete a user, do it on the LDAP server, but also in the application. If you delete the user only on the LDAP server, it will be rejected from logging in to the application, but it won't be set as inactive, which will affect your license. You'll need to disable the Update User attributes on Login option to delete the user, and then enable it again.
Bitbucket administrators have to delete these users manually or set up an automated process to do so.
These users are a problem because:
- they count as an active license
- they are not in the LDAP user directory anymore so are not part of the company anymore, so users in Bitbucket will diverge from the ones in LDAP
- in case these users had an ssh key and that's still used to authenticate, the logs will report the following git was successfully authenticated via public key, but is no longer active in the underlying user directory. The request has been blocked
Automatically remove these users from Bitbucket once they are not available in the delegated user directory.
Delete the users manually or set up an automated process to do so.
- check for the user existence and status in the user directory (e.g. LDAP)
- the DELETE /REST/API/1.0/ADMIN/USERS?NAME endpoint can be used to delete users (see REST Resources Provided By: Bitbucket Server for details)