Crowd does not display all users' membership across multiple directories in an application with "Directory Aggregation" enabled

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.

Summary

When checking to which groups, from multiple directories, a user belongs in a Crowd application, even though the option "Directory Aggregation" is enabled, only the groups from the first directory are shown.

Environment

  • Crowd Server
  • Remote application configured with multiple user directories
  • Directory Aggregation enabled

Diagnosis

  1. Add two different user directories to a Crowd Application, e.g., DirA and DirB
  2. Create one group in each directory, e.g., GroupA (in DirA) and GroupB (in DirB)
  3. Create a test_user and add this user to DirA and DirB
  4. Add the test_user as a member from GroupA and GroupB
  5. Select the Users tab, on the Crowd Application and search for the test_user
  6. When selecting the test_user and inspecting they group membership, only the group from the first directory listed in the application is shown

Cause

The complete membership information will be displayed in the remote application. Crowd Web UI will only display the information according to the first listed directory.

To know effectively if the Directory Aggregation is working as expected, you can retrieve the complete membership for any particular user, in any given Crowd application, by performing the following REST request to Crowd:

API: usermanagement | Resource: Get direct groups
curl -v -H "X-Atlassian-Token: no-check" -u <application>:<application_password> -H "Content-Type: application/json" -X GET 'http://<CROWD_URL>:<CROWD_PORT>/crowd/rest/usermanagement/1/user/group/direct?username=<username>'

It's important to say, that Directory Aggregation works for Authorization Purposes only, as explained in Effective memberships with multiple directories. Users still must be able to authenticate against the first directory to which they belong in a Crowd application.


Last modified on Jul 27, 2020

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.