Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
7.8.0, 7.12.3
-
7.08
-
3
-
Severity 2 - Major
-
0
-
Description
Summary
If we have an user in both the internal and LDAP directory and remove him from the LDAP synchronization, Jira deletes the LDAP row from the cwd_user table.
If we have an user only in the LDAP directory and remove him from the LDAP synchronization, Jira will only disable the user instead of deleting from cwd_user.
How to reproduce
Let's say we used to have only an Internal Directory, and decided to migrate them to an LDAP directory (AD). After the migration we'll have in the database two accounts for the same username, one from internal and other for the AD accounts.
When the AD accounts are expired or we have to remove the user access from Jira, the Jira Access group is removed from his account.
Expected: Jira turn the user inactive in the database but keep his records.
What happens: Jira deletes the LDAP row from the cwd_user table
This causes any user that is expired or removed from the group, when restoring his access to Jira, Jira creates a new accounts instead of just reactivating the previous one, losing all it's group memberships and other information.
Workaround
Only workaround we can apply is to manually remove the unused internal users from the cwd_user table.
The below query should do the trick, but review it to match your case and IDs may vary:
delete from cwd_user
where directory_id = 1
and active = 0
and user_name in (select user_name
from cwd_user
where directory_id = 10000
and active = 1);