-
Bug
-
Resolution: Fixed
-
Low
-
4.6.2
-
2
-
6
-
Summary
- Active Directory configured as User Directory in Bitbucket Server.
- User expiration is controlled in Active Directory by the accountExpires attribute.
- In Bitbucket Server, the option "Filter out expired users" is enabled.
- Even though users whose expiry date have been reached can no longer login, they are still synced and counted towards the license limit.
- When the user gets disabled in Active Directory (by right-clicking the username and selecting "Disable Account") and the directory is resynced in Bitbucket Server the user gets finally removed.
Environment
- Bitbucket Server 4.6.2
- Connecting to Active Directory for user management
Steps to Reproduce
- Ensure that "Filter out expired users" is enabled in Bitbucket Server (in the user directory Advanced Settings).
- Create a user in Active Directory with a future date set to accountExpires attribute. The value of userAccountControl is 512 (0x200 = (NORMAL_ACCOUNT)).
- Resync the directory in Bitbucket Server so that changes can be processed.
- The user can login as usual in Bitbucket Server.
- Wait until the user is past the accountExpires attribute
- Resync the directory in Bitbucket Server so that changes can be processed.
- Even though the user can no longer login, the user is still listed in the Users page, hence counting towards the license limit.
- Note that the userAccountControl attribute is still 512 (0x200 = (NORMAL_ACCOUNT)).
- Disable the user in Active Directory (by right-clicking the username and selecting "Disable Account")
- Note that the userAccountControl attribute now shows 514 (0x202 = (ACCOUNTDISABLE|NORMAL_ACCOUNT)).
- Resync the directory in Bitbucket Server so that changes can be processed.
- The user no longer shows up in the Users page.
Actual Results
- From the web interface:
Filter out expired users
If ticked, expired users will be automatically removed. For cached directories, the removal of a user will occur during the first synchronisation after the account's expiration date.
- The field label above and its description suggest that when the user is past his account expiry date, which is controlled by the accountExpires attribute in Active Directory, the user is "automatically removed", however that is not true. Even though the user can no longer login, the user is still listed in the Users page, and still counts towards the license limit.
- Only when the account is disabled in Active Directory (by right-clicking the username and selecting "Disable Account") and the directory is rescynced in Bitbucket Server the user really gets "automatically removed".
Expected Results
- When users are past their account expiry date, which is controlled by the accountExpires attribute in Active Directory, they should be "automatically removed" from Bitbucket Server, instead of just not be able to login any longer.
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page"){kind=icon}
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[BSERV-9023] Expired user in Active Directory still being synced
This appears to be working and - I believe - was raised due to some incorrect problem diagnosis. I'm going to re-open the original support request and try to give some guidance about how to diagnose the problem.
Our IT department receives automated term reports for employees that will be terminated in the future (for example they gave notice). These term reports are processed and the accountExpires attribute is set to their terminate date. On that date, AD no longer allows them access. Unfortunately Bitbucket Server does not use this field when the Filter out expired users is selected. Using the accountExpires attribute allows us to set up their accounts to deny access prior to their departure. They can continue to use the account without any issues up to the expiration date.
This was fixed in https://jira.atlassian.com/browse/CWD-4736, which was available from Bitbucket Server 6.0.
If anyone still notices this issue after upgrading please notify us by commenting here