• Icon: Suggestion Suggestion
    • Resolution: Fixed
    • 6.1
    • None
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      This is a follow-on from JRA-1549.

      We want to detect when a user in an LDAP server has had her username changed, and treat this as a "rename" instead of as a delete and insert.

            [JRASERVER-32199] Ability to detect a changed username in LDAP

            m.schaepers Yes you can get JIRA to automatically synchronise user renames with the "Internal with LDAP Authentication User Directory" User Directory type (aka "Delegated LDAO Authentification".

            To make synchronisation happen, you need to select the "Copy User on Login" option in the User Directory config.
            Now, every time a users logs in JIRA will pull down the latest User data from the LDAP server (including a rename).

            Just turning that flag on should just work for most LDAP vendors assuming the sysadmin has not messed with the default schema.
            If the rename detection is not working (but other properties (eg email) are synching) then look at the "User Unique ID Attribute" setting under "User Schema Settings" and consult your LDAP admin about if the default value there is reasonable.

            Mark Lassau (Inactive) added a comment - m.schaepers Yes you can get JIRA to automatically synchronise user renames with the "Internal with LDAP Authentication User Directory" User Directory type (aka "Delegated LDAO Authentification". To make synchronisation happen, you need to select the "Copy User on Login" option in the User Directory config. Now, every time a users logs in JIRA will pull down the latest User data from the LDAP server (including a rename). Just turning that flag on should just work for most LDAP vendors assuming the sysadmin has not messed with the default schema. If the rename detection is not working (but other properties (eg email) are synching) then look at the "User Unique ID Attribute" setting under "User Schema Settings" and consult your LDAP admin about if the default value there is reasonable.

            entryUUID is very bad idea, because it is an internal field and it is not possible to set that attribute manually.
            If you export your LDAP via ldif and reimport it, you will lose the entryUUID!

            A much better idea would be to use the uid attribute.

            Nabil Sayegh added a comment - entryUUID is very bad idea, because it is an internal field and it is not possible to set that attribute manually. If you export your LDAP via ldif and reimport it, you will lose the entryUUID! A much better idea would be to use the uid attribute.

            I have JIRA 6.3 with a Jira Delegated Authentification Directory. In Future we want to change usernames in LDAP . Does Jira have the ability to detect AND synchronise automatically or manually? and if automatically, how do the settings look like for JIRA Delegated Authentifiaction Directory?

            Kind regards

            Marc Schäpers added a comment - I have JIRA 6.3 with a Jira Delegated Authentification Directory. In Future we want to change usernames in LDAP . Does Jira have the ability to detect AND synchronise automatically or manually? and if automatically, how do the settings look like for JIRA Delegated Authentifiaction Directory? Kind regards

            I spoke a little too soon. We missed 6.1-m05 but still expect to see this visible in 6.1-beta1

            Mark Lassau (Inactive) added a comment - I spoke a little too soon. We missed 6.1-m05 but still expect to see this visible in 6.1-beta1

            Uhub Admin added a comment -

            That is amazing! Looking forward to that implementation in the next release. Thanks !

            Uhub Admin added a comment - That is amazing! Looking forward to that implementation in the next release. Thanks !

            We are currently working on a solution.
            We never promise which features will be in a given release until we are sure they are done and dusted, however a preview of this feature should be available in our 6.1-m05 EAP.
            This will be available at https://www.atlassian.com/software/jira/download-eap in two and a bit weeks...

            Mark Lassau (Inactive) added a comment - We are currently working on a solution. We never promise which features will be in a given release until we are sure they are done and dusted, however a preview of this feature should be available in our 6.1-m05 EAP. This will be available at https://www.atlassian.com/software/jira/download-eap in two and a bit weeks...

            Hi there,
            Just wondering if there have been any updates to this? We had some username changes recently in Active Directory and that heavily affected our Jira instance as the renames deleted the old user account and created a fresh new profile rather than "carry over" existing data to the new username.

            I found a few solutions which are not "real" solutions, such as exporting to XML and renaming all instances of the username or modifying the mySQL database or in my case, renaming the username back to it's original value. However that is not practical as our userbase grows within Jira and the company, more of these changes will inevitably happen more often.

            Hopefully there will be more work done on this issue and I find it weird that it's priority level is set to Minor as username changes within business happens very often.

            Daniel

            Uhub Admin added a comment - Hi there, Just wondering if there have been any updates to this? We had some username changes recently in Active Directory and that heavily affected our Jira instance as the renames deleted the old user account and created a fresh new profile rather than "carry over" existing data to the new username. I found a few solutions which are not "real" solutions, such as exporting to XML and renaming all instances of the username or modifying the mySQL database or in my case, renaming the username back to it's original value. However that is not practical as our userbase grows within Jira and the company, more of these changes will inevitably happen more often. Hopefully there will be more work done on this issue and I find it weird that it's priority level is set to Minor as username changes within business happens very often. Daniel

            Thanks Marcus,

            We did some research and a spike on this last year that shows that LDAP implementations are all supposed to implement entryUUID according to this RFC: http://www.ietf.org/rfc/rfc4530.txt
            However it seems that some flavours may not implement it, or implement something similar under a different name.

            In particular it seems that OpenLdap, SUN (Oracle) ePlanet, and OpenDS use the standard entryUUID.
            ActiveDirectory uses "objectGUID", and Novell Directory uses "GUID".

            Looks like we will need to make this configurable with a sensible default set where we know what it is for that LDAP vendor.

            Mark Lassau (Inactive) added a comment - Thanks Marcus, We did some research and a spike on this last year that shows that LDAP implementations are all supposed to implement entryUUID according to this RFC: http://www.ietf.org/rfc/rfc4530.txt However it seems that some flavours may not implement it, or implement something similar under a different name. In particular it seems that OpenLdap, SUN (Oracle) ePlanet, and OpenDS use the standard entryUUID. ActiveDirectory uses "objectGUID", and Novell Directory uses "GUID". Looks like we will need to make this configurable with a sensible default set where we know what it is for that LDAP vendor.

            Marcus added a comment -

            Hello Mark,

            Microsoft ActiveDirectory uses internal an UUID as a unique identifier/primary key for the users. If you change attributes like cn, sn, dn, or common name or even the sAMAccountName attributes of an user, the UUID will stay the same.

            If you could change crowd/jira/confluence to use these id's as primary key it would help a lot if companies change the naming scheme for their users.

            Marcus

            Marcus added a comment - Hello Mark, Microsoft ActiveDirectory uses internal an UUID as a unique identifier/primary key for the users. If you change attributes like cn, sn, dn, or common name or even the sAMAccountName attributes of an user, the UUID will stay the same. If you could change crowd/jira/confluence to use these id's as primary key it would help a lot if companies change the naming scheme for their users. Marcus

              Unassigned Unassigned
              mlassau Mark Lassau (Inactive)
              Votes:
              20 Vote for this issue
              Watchers:
              27 Start watching this issue

                Created:
                Updated:
                Resolved: