Migrating local group memberships of Delegated Ldap User Directory when switching to another external directory with local groups in Bitbucket Server/DC

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When switching to a new external Delegated LDAP directory with local groups, containing the same set of users as the one already configured in Bitbucket Server, local group membership for groups other than the default stash-users is lost. This can affect project and repository permissions that were granted through group membership, and the users will no longer be able to access those repositories after switching to the new directory


Environment

7.6.0

Diagnosis


After enabling the new external directory, local groups do not contain any members from the new directory. This can be verified by running the below query:

Get directory_id 
select * from cwd_directory;

Get the id associated with the New Delegated LDAP Directory


Replace the <new_directory_id> with the id retrieved from the previous query

Check the Membership of the Local groups 
select A.lower_parent_name, A.child_name, B.directory_name
from cwd_membership A,
cwd_directory B
WHERE directory_id = B.id
AND A.directory_id = <new_directory_id>
AND A.lower_parent_name IN (select lower_group_name from cwd_group where is_local = 'T' AND directory_id=<new_directory_id>);

This will return an empty results because there are no memberships linked to the Local groups of the New Delegated User directory. 

Cause

This is a known issue tracked in  CWD-4886 - Getting issue details... STATUS

Solution

  • Instead of creating a New Delegated Ldap User directory update the existing Delegated Ldap user directory, that way the Local groups are still tied to the same directory_id and the group memberships will be retained.

  • You can confirm if the Group memberships are intact by running the below query again

    • Replace the <directory_id> with directory ID of the Delegated Ldap directory which can be retrieved from the query we used before


Check the Membership of the Local groups 
select A.lower_parent_name, A.child_name, B.directory_name
from cwd_membership A,
cwd_directory B
WHERE directory_id = B.id
AND A.directory_id = <directory_id>
AND A.lower_parent_name IN (select lower_group_name from cwd_group where is_local = 'T' AND directory_id=<directory_id>);

(warning) Test this configuration on a test environment before updating the same on the Production directly

Last modified on Mar 31, 2022

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.