Problem

When using LDAP FreeIPA as User Management for Bitbucket and having users that are members of multiple groups, if the Primary Group has global permissions in Bitbucket Server, the user is counted against the license. If the Primary Group does not have global permissions the user is not added to the second group and is not counted against the license.

Cause

Bitbucket server doesn't use the memberOf attribute during synchronization causing group membership to not sync. The information below is shown in the logs upon synchronizing users from external user directory:

2018-07-12 15:14:01,718 ERROR [Caesium-1-1]  c.a.c.d.l.mapper.GroupContextMapper Failed to map attribute <gidNumber> from context with DN <cn=users,cn=accounts,dc=bitbucket,dc=local>
java.lang.NullPointerException: null
2018-07-12 15:14:01,740 WARN  [Caesium-1-1]  c.a.c.d.DbCachingRemoteChangeOperations Could not add the following missing users to group [ admins ]: [uid=admin,cn=users,cn=accounts,dc=bitbucket,dc=local, uid=admin2,cn=users,cn=accounts,dc=bitbucket,dc=local, uid=rmadal,cn=users,cn=accounts,dc=bitbucket,dc=local, uid=internaluser,cn=users,cn=accounts,dc=bitbucket,dc=local]

It is using the gid number attribute (in user LDIF) to detect the membership but each user only has a single gid number so other groups aren't added to the group membership.

Resolution

Go to Administration --> User Directories --> FreeIPA server --> Membership Schema Settings and in the Use the User Membership Attribute, uncheck When finding the user's group permission.

Also it's necessary to change the Directory Type option to Open LDAP (without using POSIX schema). This way the memberOf attribute will be used.