Problem

Changes made to users on a Crowd directory connected to HipChat Server are not always propagated to HipChat.

For example:

HipChat Server is connected to an external Crowd directory, which, in turn, is connected to 3 separate Active Directory environments.

The customer performed some internal company consolidation that involved moving small numbers of users from one AD environment to another. This was accomplished by removing the user from a group that provides HipChat Server access via Crowd in one directory, and then adding those users to a group that provides access in another.

After this process was completed, and both Crowd and HipChat synchronized, the affected user is unable to log in with their credentials via the new directory.

It appears that since the user's email address did not change, HipChat Server skipped attempts to synchronize any changes, even though their attributes on the crowd backend changed, such as their display name.

Workaround

To workaround this issue, HipChat Support provided the user with a script to basically clean up the
hipchat user database and embedded crowd databases, back up the crowd cache, and then perform a full re-sync of everything. This allowed the affected users to finally log in with their new credentials, but, HipChat Server treated these users as brand new, thus, they lost any room ownerships, avatars, chat histories, etc.

Suggestion

Similar to what was requested in https://jira.atlassian.com/browse/HCPUB-1137, improve HipChat Server's Crowd directory sync capabilities so that it doesn't rely primarily on a user's email address. Changes to a user on the Crowd backend run the risk of being ignored completely, or the users run the risk of having their current accounts deactivated and their updated attributes being treated as an entirely new user.

This may also solve another issue the customer had where if Crowd returns an empty directory for whatever reason (bad sync, bad directory config or something), all HipChat users get deleted / deactivated. Improvements to how HipChat handles users synced in from an external Crowd directory would make it very similar to the existing behavior in Jira/Confluence/etc, where the worst consequence of a directory problem is a user not being able to log in until the issue is resolved, but afterwards, everything associated with the user still exists as long as their username is the same.

Also, if a user synced from a directory is accidentally deactivated for whatever reason, their private rooms, all room ownership and membership are lost. With the current releases of HipChat Server admins have to manually go back and restore all rooms / user membership once the accounts get re-activated again.