Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-9023

Expired user in Active Directory still being synced

    XMLWordPrintable

    Details

      Description

      Summary

      • Active Directory configured as User Directory in Bitbucket Server.
      • User expiration is controlled in Active Directory by the accountExpires attribute.
      • In Bitbucket Server, the option "Filter out expired users" is enabled.
      • Even though users whose expiry date have been reached can no longer login, they are still synced and counted towards the license limit.
      • When the user gets disabled in Active Directory (by right-clicking the username and selecting "Disable Account") and the directory is resynced in Bitbucket Server the user gets finally removed.

      Environment

      • Bitbucket Server 4.6.2
      • Connecting to Active Directory for user management

      Steps to Reproduce

      1. Ensure that "Filter out expired users" is enabled in Bitbucket Server (in the user directory Advanced Settings).
      2. Create a user in Active Directory with a future date set to accountExpires attribute. The value of userAccountControl is 512 (0x200 = (NORMAL_ACCOUNT)).
      3. Resync the directory in Bitbucket Server so that changes can be processed.
      4. The user can login as usual in Bitbucket Server.
      5. Wait until the user is past the accountExpires attribute
      6. Resync the directory in Bitbucket Server so that changes can be processed.
      7. Even though the user can no longer login, the user is still listed in the Users page, hence counting towards the license limit.
      8. Note that the userAccountControl attribute is still 512 (0x200 = (NORMAL_ACCOUNT)).
      9. Disable the user in Active Directory (by right-clicking the username and selecting "Disable Account")
      10. Note that the userAccountControl attribute now shows 514 (0x202 = (ACCOUNTDISABLE|NORMAL_ACCOUNT)).
      11. Resync the directory in Bitbucket Server so that changes can be processed.
      12. The user no longer shows up in the Users page.

      Actual Results

      • From the web interface:
        Filter out expired users

        If ticked, expired users will be automatically removed. For cached directories, the removal of a user will occur during the first synchronisation after the account's expiration date.

      • The field label above and its description suggest that when the user is past his account expiry date, which is controlled by the accountExpires attribute in Active Directory, the user is "automatically removed", however that is not true. Even though the user can no longer login, the user is still listed in the Users page, and still counts towards the license limit.
      • Only when the account is disabled in Active Directory (by right-clicking the username and selecting "Disable Account") and the directory is rescynced in Bitbucket Server the user really gets "automatically removed".

      Expected Results

      • When users are past their account expiry date, which is controlled by the accountExpires attribute in Active Directory, they should be "automatically removed" from Bitbucket Server, instead of just not be able to login any longer.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              fkraemer Felipe Kraemer
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: