Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-29901

Switching to "Synchronise Group Memberships" option in the delegated user directory should push changes back to remote directory

XMLWordPrintable

    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Here is the procedure to reproduce the issue:

      1. Set up fresh jira
      2. Create a user A in the LDAP server which got no membership settings. (single user without group)
      3. Set up delegated ldap - with only the option "copy User on Login" and set the default group member to "jira-users".
      4. Login with the user A, so that it can be added in the group "jira-users".
      5. Logout the user A.
      6. Edit the delegated user directory and check the option "Synchronise Group Memberships".
      7. Login with the user A again, we found that it is impossible to login.

      Regarding to the login file, the user had been removed from the user group when login, here is an example of the message: 

      2012-09-27 18:39:35,327 http-6512-10 INFO anonymous 1119x482x1 1mknmyc 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.DelegatedAuthenticationDirectory] Deleted user "user"'s imported membership of remote group "jira-users" to directory "Delegated Authentication Directory".
2012-09-27 18:39:35,329 http-6512-10 INFO anonymous 1119x482x1 1mknmyc 127.0.0.1 /rest/gadget/1.0/login [atlassian.crowd.directory.DelegatedAuthenticationDirectory] Deleted user "user"'s imported membership of remote group "jira-developers" to directory "Delegated Authentication Directory".
Sep 27, 2012 6:39:35 PM com.sun.jersey.spi.container.servlet.WebComponent filterFormParameters

      And we can observe the same in the user list.

      So far we have been able to reproduce the bug only with OpenLDAP and Generic Directory Server.

      The workaround for now would be to add the group memberships again after checking the "Synchronise Group Memberships" option.

            [JRASERVER-29901] Switching to "Synchronise Group Memberships" option in the delegated user directory should push changes back to remote directory

            Kerrod Williams (Inactive) added a comment -

            Thanks for taking the time to raise this issue.

            Due to the large volume of JIRA feature suggestions, we have to prioritise our development efforts. In part, that means concentrating on those issues that resonate the most with our users.

            I am writing this note to advise you, that we have decided to close your Suggestion as it has not gained traction on jira.atlassian.com. We believe being upfront and direct with you will assist you in your decision making rather than believing Atlassian will eventually address this issue.

            Thank you again for your suggestion and if you have any concerns or question, please don’t hesitate to email me.
            Kind Regards,
            Kerrod Williams
            JIRA Product Management
            kerrod.williams at atlassian dot com

            Kerrod Williams (Inactive) added a comment - Thanks for taking the time to raise this issue. Due to the large volume of JIRA feature suggestions, we have to prioritise our development efforts . In part, that means concentrating on those issues that resonate the most with our users. I am writing this note to advise you, that we have decided to close your Suggestion as it has not gained traction on jira.atlassian.com. We believe being upfront and direct with you will assist you in your decision making rather than believing Atlassian will eventually address this issue. Thank you again for your suggestion and if you have any concerns or question, please don’t hesitate to email me. Kind Regards, Kerrod Williams JIRA Product Management kerrod.williams at atlassian dot com

            Simon Westhues added a comment -

            I hope that JIRA does not try to write something back to LDAP when an internal directory with LDAP authentication is configured. Anyway, read/write is available in the "normal" LDAP configuration but our organisation doesn't permit us or JIRA to write back into LDAP.

            Simon Westhues added a comment - I hope that JIRA does not try to write something back to LDAP when an internal directory with LDAP authentication is configured. Anyway, read/write is available in the "normal" LDAP configuration but our organisation doesn't permit us or JIRA to write back into LDAP.

            ChrisA added a comment -

            If your directory is setup with Read/Write permissions and set to Synchronise Group Memberships, then this should already be possible.

            ChrisA added a comment - If your directory is setup with Read/Write permissions and set to Synchronise Group Memberships, then this should already be possible.

            Simon Westhues added a comment -

            This feature would be really helpful for us. We do not want to push something back to any remote directory. We just want to synchronize group memberships and the groups itself to JIRA and want to be able to add group memberships in JIRA, too, e.g. to make users member of jira-administrators.

            Simon Westhues added a comment - This feature would be really helpful for us. We do not want to push something back to any remote directory. We just want to synchronize group memberships and the groups itself to JIRA and want to be able to add group memberships in JIRA, too, e.g. to make users member of jira-administrators.

            ChrisA added a comment -

            Really we designed this configuration to be for one or the other, not to allow a staging of group memberships before pushing it back to a remote user directory, so I've moved this over to be an improvement.

            ChrisA added a comment - Really we designed this configuration to be for one or the other, not to allow a staging of group memberships before pushing it back to a remote user directory, so I've moved this over to be an improvement.

            Daniel Wedewardt added a comment -

            Yilin is right. The expected behaviour is that previous group memberships of local groups like jira-users and/or jira-developers keep alive after group sync was activated - what is currently not the case.

            Daniel Wedewardt added a comment - Yilin is right. The expected behaviour is that previous group memberships of local groups like jira-users and/or jira-developers keep alive after group sync was activated - what is currently not the case.

            Yilin (Inactive) added a comment -

            In my opinion, the embedded Crowd plugin should be able to keep the local membership setting and add the extra membership setting from the external user repository if there is any. Rather than remove the local membership then perform a full membership synchronization from external user repository.

            Yilin (Inactive) added a comment - In my opinion, the embedded Crowd plugin should be able to keep the local membership setting and add the extra membership setting from the external user repository if there is any. Rather than remove the local membership then perform a full membership synchronization from external user repository.

            Eric Dalgliesh added a comment -

            Isn't this is the point of the "Synchronise Group Memberships" option? What's the expected behaviour here?

            Eric Dalgliesh added a comment - Isn't this is the point of the "Synchronise Group Memberships" option? What's the expected behaviour here?

              Unassigned Unassigned
              yilinmo Yilin (Inactive)
              Votes:
              4 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: