-
Suggestion
-
Resolution: Fixed
-
LDAP Delegate for Microsoft AD
Hi everyone,
Thanks for all your votes and comments on this suggestion. Your voice means a lot to us.
We're excited to announce that we've shipped an experimental plugin (Atlassian Labs) for Crowd that is able to do delegated directory user pruning.
This plugin allows to optimize your license usage by periodically cleaning inactive users from your delegated directories. After configuring pruning for a delegated directory the plugin will periodically check if the directory contains any users who have been deactivated or removed from the remote directory.
By default such users will be deactivated in Crowd. It is also possible to enable "hard delete" mode, in which users who have been deleted in the remote directory will also be deleted in Crowd.
This plugin can be downloaded from Atlassian Marketplace here.
Thanks,
Atlassian Crowd Team
When a user is being deleted in the AD, it will not be able to login to Crowd's Applications anymore.
But as the user still exisits in the LDAP Delegate, it will count against the license limits (of Crowd, Confluence, JIRA, whatever).
Support (CWDSUP-4973) told me to deactivate the user in Crowd manually in such cases.
This leads to a double maintenance (delete in AD, deactivate in Crowd). In addition the AD admins might not be Crowd admins.
Crowd could regularly (once per day?) check if the users in their Delegate Directories are still present/active in the AD and then deactivate them if they are not.
- depended on by
-
- Gathering Interest
- duplicates
-
- Closed
- is related to
-
- Closed
-
- Gathering Interest
-
- Gathering Interest
-
- Gathering Interest
-
- Not Being Considered
- relates to
-
CONFSERVER-22337 Cannot disable or remove user in Confluence when user management is delegated to LDAP
-
- Closed
-
-
- Closed
-
- Closed
-
- Closed
-
- Closed
-
- Closed
[CWD-2478] LDAP Delegate: Synchronize with AD to disable deleted users
Tom Bell
added a comment - Hi Marcin,
That worked!! The plugin ran again at the expected time without any errors and marked the missing LDAP users as inactive. 
I ran the following query against another delegate directory it appears that (in our Crowd instance at least) userids with null "external_id" values have never logged in. Seems like these are good candidates for removal or update the null field with something else as a placeholder but want to verify that's true first.
mysql> SELECT cwd_user.user_name, from_unixtime(cwd_user_attribute.attribute_value/1000) FROM cwd_user, cwd_user_attribute WHERE cwd_user_attribute.user_id = cwd_user.id AND cwd_user_attribute.attribute_name = 'lastAuthenticated' and cwd_user.external_id is null and cwd_user.directory_id=32770; Empty set (0.00 sec)
We can clean up the mess on our Crowd instance but it may be a useful enhancement if the pruning plugin would ignore or mark userids with null external_id entries as inactive within the delegate directory. Just a thought.
Thanks for your help!
Tom
Tom Bell
added a comment - Hi Marcin,
That worked!! The plugin ran again at the expected time without any errors and marked the missing LDAP users as inactive.
I ran the following query against another delegate directory it appears that (in our Crowd instance at least) userids with null "external_id" values have never logged in. Seems like these are good candidates for removal or update the null field with something else as a placeholder but want to verify that's true first.
mysql> SELECT cwd_user.user_name, from_unixtime(cwd_user_attribute.attribute_value/1000) FROM cwd_user, cwd_user_attribute WHERE cwd_user_attribute.user_id = cwd_user.id AND cwd_user_attribute.attribute_name = 'lastAuthenticated' and cwd_user.external_id is null and cwd_user.directory_id=32770;
Empty set (0.00 sec)
We can clean up the mess on our Crowd instance but it may be a useful enhancement if the pruning plugin would ignore or mark userids with null external_id entries as inactive within the delegate directory. Just a thought.
Thanks for your help!
Tom Tom Bell
added a comment - Yes, that is certainly very possible. I do recall my team performing some crowd user migration testing a year or two ago but don't remember the details. So, it's also possible that we will need to perform a similar cleanup or update on our production host. That'll need further investigation.
Tom Bell
added a comment - Yes, that is certainly very possible. I do recall my team performing some crowd user migration testing a year or two ago but don't remember the details. So, it's also possible that we will need to perform a similar cleanup or update on our production host. That'll need further investigation. Regarding the users without the External Id, that you've listed from you delegated directory, I suspect that those could have beed initially added to the Internal Directory (the internalTestUser may suggest that) and later on this directory was changed to a delegated one. Did you by any chance followed this KB article some time in the past?
Tom Bell
added a comment - Yes, we're testing on a stage system so will clean up those accounts. Nothing posted so far is related to any IP but thanks for the caution. I'll let you know the results. Thanks!
Tom Bell
added a comment - Yes, we're testing on a stage system so will clean up those accounts. Nothing posted so far is related to any IP but thanks for the caution. I'll let you know the results. Thanks! Sorry ttbell my bad, I just assumed that you have only one directory. Limiting the query is a good idea
If you are running those tests on some sort of staging environment (not a production one) and you are able to clean up those i believe you can try that for a test. I wonder if those users were at some point in the remote directory?
Please note that this communication is public and everyone can see those comments so please do not post here sensitive data.
Best Regards,
Marcin Kempa
Tom Bell
added a comment - Marcin, are you thinking that these users that are missing an external_id are some form of corruption that is causing the directory cleanup task to crash due to the null value? I can probably clean those up as a test.
Tom Bell
added a comment - Marcin, are you thinking that these users that are missing an external_id are some form of corruption that is causing the directory cleanup task to crash due to the null value? I can probably clean those up as a test. Tom Bell
added a comment - Limiting the user search to just the "NF Delegate" directory returns the following...
mysql> select user_name from cwd_user where external_id = '' or external_id is null and directory_id=88702977;
+------------------+
| user_name |
+------------------+
| mb186040 |
| lh180000 |
| rl186026 |
| gd186002 |
| jv186016 |
| mm121743 |
| jg121176 |
| rb186043 |
| sp186073 |
| jt186018 |
| VM255012 |
| AT186000 |
| MM186051 |
| cb120469 |
| EY120856 |
| EA120793 |
| JS132599 |
| MR121771 |
| SJ100005 |
| DP180003 |
| internalTestUser |
+------------------+
21 rows in set (0.06 sec)
Tom Bell
added a comment - Limiting the user search to just the "NF Delegate" directory returns the following...
mysql> select user_name from cwd_user where external_id = '' or external_id is null and directory_id=88702977;
+------------------+
| user_name |
+------------------+
| mb186040 |
| lh180000 |
| rl186026 |
| gd186002 |
| jv186016 |
| mm121743 |
| jg121176 |
| rb186043 |
| sp186073 |
| jt186018 |
| VM255012 |
| AT186000 |
| MM186051 |
| cb120469 |
| EY120856 |
| EA120793 |
| JS132599 |
| MR121771 |
| SJ100005 |
| DP180003 |
| internalTestUser |
+------------------+
21 rows in set (0.06 sec)
Tom Bell
added a comment - Hi Marcin,
That query returns 22,032 rows. We have multiple directories though and we're only concerned about one named "NF Delegate". Perhaps limit the query to just that directory?
We're running Crowd v3.1.3.
Thanks,
Tom
Tom Bell
added a comment - Hi Marcin,
That query returns 22,032 rows. We have multiple directories though and we're only concerned about one named "NF Delegate". Perhaps limit the query to just that directory?
We're running Crowd v3.1.3.
Thanks,
Tom Hi ttbell,
It looks like some of your users in the delegated directory, where you enabled pruning, do not have external Id set.
Can you tell me which version of Crowd are you running? Do you have any integration that is using this directory?
The following DB query will help you to identify users without external Id:
select user_name from cwd_user where external_id = '' or external_id is null
is this only a small subset of users or are those all users from your directory?
Best Regards,
Marcin Kempa
Hi ttbell,
I am glad that you've get the plugin working!
Indeed this could be an enhancement in the plugin itself and probably will be fixed in future releases of the plugin. We appreciate your feedback!
Best Regards,
Marcin Kempa