How to handle users in multiple directories

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When we have the same user on multiple User Directories, Jira will consider the information provided by the directory higher on the directories list. This means that if a user is moved/disabled on one directory but is still enabled on a directory below, they will not be able to access the application anymore and will trigger the duplicated user health check in Jira.

This article is meant to explain the different scenarios that can happen and what options we have to fix them.

Scenarios

  1. Jira will disable the user and mark them as deleted externally if the user is not found on any other directories during the User Directory synchronization.

  2. Jira will remove the user associated to the User Directory from the database if they are already associated to another User Directory

Problem

If the user is being moved to another domain inside your LDAP/AD server and we perform the move in a certain order, we will end up in scenario 1 and see the user as disabled in Jira

Problematic order

  1. User is disabled in Directory 1 LDAP server

  2. Directory 1 synchronized in Jira, disabling and marking the user as deleted externally

  3. User was added to Directory 2 LDAP server

  4. Directory 2 synchronized and added user to Jira

Correct order to avoid problem

  1. Add user to new directory

  2. Make sure the directory synchronizes with Jira

  3. Remove user from old directory

Solution

We have a couple of options to fix the problem

  1. DB manipulation approach

    1. Remove the disabled user manually from the DB following our How to delete user KB article

    2. Create a dummy new User Directory to trigger the user cache flush

  2. LDAP server approach

    1. Enable/Add the user back to Directory 1 LDAP server

    2. Synchronize Directory 1 and make sure the user is enabled again

    3. Add the user to Directory 2 LDAP server (if they are not there already)

    4. Synchronize Directory 2

    5. Disable/Remove user from Directory 1 LDAP server

    6. Synchronize Directory 1

Updated on February 12, 2025
Platform
Data Center only
Products
Jira Software Data Center
Jira Core Data Center
Jira Service Management Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community