LDAP queries contain AD attribute 'PasswordNeverExpire'
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
LDAP queries sent from Jira contain search parameters for users that do not have expiration date.
Diagnosis
The following query operation appears structure in the atlassian-jira.log:
2023-08-17 08:3:47,337-0400 Caesium-1-4 DEBUG ServiceRunner [c.a.c.d.ldap.monitoring.TimedSupplier] Execute operation search with handler on baseDN: DC=XXX,DC=net, filter: (&(&(objectCategory=Person)(sAMAccountName=*))(|(accountExpires=0)(!(accountExpires=*))(accountExpires>=133367490588080000))) Cause
When the LDAP configuration option Filter out expired users is enabled, Jira will search for users that are not expired, and for those who do not have an expiration date at all.
Resolution
Disable the Filter out expired users option:
- Navigate to your LDAP directory at Administration > User Management > User Directories > Your LDAP > Edit
- Untick Filter out expired Users under Advanced Settings
- Save your LDAP settings
Disabling this option means Jira will synchronize users regardless of account expiration, which may result in additional users appearing in your Jira User Directories. These users will not be able to authenticate to Jira, however, because authentication occurs will still be controlled by LDAP authentication.