-
Suggestion
-
Resolution: Unresolved
-
None
-
21
-
NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion.
Users currently can not be disabled from within Confluence if they are sourced from an LDAP directory which is configured as read-only.
Until Confluence 5.1.4 (fixed in CONF-22337), a link was offered hinting that it was possible to do so, but on trying to perform the operation users were confronted with an error message like
User "xxxxxx" could not be disabled. The directory may be read-only.
The active column in cwd_user table (Embedded Crowd cache) indicates if a user is disabled as F(alse). If a user is disabled, he is not counted towards the license since he is not able to use Confluence. Currently, this property is not synchronised back to the LDAP directory (e.g. in form of a custom attribute).
CWD-995 is going to change this behaviour for Active Directory connectors, meaning that disabling a user would synchronise back to the User-Account-Control attribute. Once this is implemented, we will be working on getting it shipped in Confluence.
In order to currently disable a user which is sourced from a read-only LDAP directory, one must remove the user from the groups granting him use permission (e.g. confluence-users) or configure the directory with Read Only, with Local Groups and only assign use permission to those local groups.
This issue tracks a possible feature allowing disabling users which are sourced from an LDAP directory configured as read-only from within Confluence. Before voting on it, please make sure you've read Connecting to an LDAP Directory and have considered alternative solutions. You will give this issue more momentum by detailing your use case in a comment and the reason why this can not be solved otherwise.
- is related to
-
- Closed
-
- Gathering Interest
[CONFCLOUD-29510] Allow disabling users which are sourced from a read-only LDAP directory
As part of CWD-995, Crowd 2.7 (in 09/2013) provided the capability that Confluence needs to resolve this. Can this issue now be acted upon?
Any update on this issue will be helpful. We have Confluence synced to LDAP server having "Read Only, with Local Groups" permission.
We use groups for giving out confluence licences similar to James Roberts and would really like to have the option to just deacitvate accounts of "one-time-visitors" so our licences don't get eaten up by those users.
Here is our use case for requesting this change.
1. We have an LDAP Attribute that controls multiple applications
2. If a user accesses Confluence we put them into the confluence-users group which has the "can use" ability
3. If that user only needs to access Confluence once then they will count against our license in perpetuity as long as they still need access to a non-Confluence application
4. We are then unable to mark that user as disabled so that they will not count against the license even though we can determine that they no longer need access to Confluence
4a. We perform a bi-annual account review process to remove users that no longer need access to any of the applications that are controlled by the LDAP attribute
Looks like CWD-995 was recently resolved - any projection when those changes might be released?
Similar use case here, with a “standard” (read: standard according to IBM and anything but standard compared to others) Lotus Domino directory that is read-only (big 100,000+ people group, only IT can update the directory, all client apps like Confluence can only read).
I don't get why you can do this with Confluence 4.x (disabling a user in a read-only LDAP directory, with local groups) but not with 5.2. It's a regression.
I'm voting for this. Our use case is as follows:
We use Zimbra has our LDAP server, and our Atlassian products use a read-only account, mostly because Zimbra's LDAP structure is non-standard. We manage group permissions locally in the apps. Presently, we get the read-only error when trying to use Confluence's disable function, and so we just remove all group memberships instead.
We would like to be able to formally mark this user as disabled, and know that it no longer counts against our license count, but with this read-only error, that does not appear to be possible without this fix.
Bigger issue for us is that even after I remove a users from the confluence user group it seems they are still consuming a license. We need better control over who can use a confluence license.