New or deleted users and groups from active directory are not synchronised in JIRA applications
- New users and/or groups added to Active Directory (AD) do not show up in JIRA applications after a synchronisation.
- Deleted users and/or groups from AD are not removed from JIRA applications after a synchronisation.
The following may appear in the
2012-12-27 18:41:13,339 http-bio-8080-exec-5 WARN localadmin 1121x1658x1 xlmwkq 172.16.8.130,192.168.72.4 /plugins/servlet/embedded-crowd/directories/troubleshoot/ [directory.ldap.mapper.UserContextMapper] Failed to map attribute <uSNChanged> from context with DN <cn=Aquaman,ou=Heroes,dc=avengers,dc=com> java.lang.NullPointerException at com.atlassian.crowd.directory.ldap.mapper.attribute.USNChangedMapper.getValues(USNChangedMapper.java:28) at com.atlassian.crowd.directory.ldap.mapper.UserContextMapper.mapFromContext(UserContextMapper.java:57) at org.springframework.ldap.core.ContextMapperCallbackHandler.getObjectFromNameClassPair(ContextMapperCallbackHandler.java:67) at org.springframework.ldap.core.CollectingNameClassPairCallbackHandler.handleNameClassPair(CollectingNameClassPairCallbackHandler.java:50) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:297) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:237)
With the release of JIRA 6.1 which includes - JRA-24937Getting issue details... STATUS : a user that has been synced to JIRA and then later removed from the LDAP server, will appear as inactive in JIRA still.
Either of the following can be used to verify if this is the problem.
- Disable incremental synchronisation and then synchronise the User Directory - this will trigger a full synchronisation instead of incremental. If this adds/removes the users and/or groups from JIRA that were modified in Active Directory, it verifies this is the problem.
- Check to see if the user to be modified within JIRA applications has the
uSNChangedattribute in Active Directory - if they do not have it this problem will be present for JIRA. The DN of that user can be found in the above logs - below is an LDIF Export of that user.
dn: cn=Aquaman,ou=Heroes,dc=avengers,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Aquaman sn: other givenName: Aquaman initials: Aqua distinguishedName: cn=Aquaman,ou=Heroes,OU=bbscratch,dc=avengers,dc=com displayName: Aquaman name: Aquaman objectGUID:: vvpujBfH5kyXQuT3U2dTBw== codePage: 0 countryCode: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAIrfv8Z/tmbiWzGjpVwcAAA== sAMAccountName: other sAMAccountType: 805306368 userPrincipalName: email@example.com objectCategory: CN=Person,CN=Schema,CN=Configuration,dc=avengers,dc=com
If the user has been deleted, please see Microsoft's How to search for deleted objects in Active Directory KB for information on how to find it. Additionally, as per our deleting a user documentation we do not recommend deleting users in JIRA applications.
When a JIRA application connects to Active Directory it tries to do an incremental synchronisation by only pulling in the groups and users that have changed since the last time it did a synchronisation. To do this it needs access to two things:
- Read access to the
uSNChangedattribute on all the users and groups in the directory that need to be synchronised.
- Read access to the objects and attributes in the Deleted Objects container.
JIRA will not correctly synchronise with AD if either of these conditions are not met. JIRA synchronises as per this Polling for Changes Using USNChanged MSDN article.
Stop using incremental synchronisation, which will then synchronise the complete directory each time. This will be acceptable for small directories, however for large directories this is not recommended as it is a resource-intensive operation. This option can be set in the "Advanced Settings" section of your AD configuration in JIRA, as below:
Make sure the user JIRA application is using to synchronise in Active Directory has access to the following:
uSNChangedattributes of all the groups and users that need to be synchronized against JIRA.
- The Deleted Object container. For further information on accessing this, please see Microsoft's How to let non-administrators view the Active Directory deleted objects container in Windows Server 2003 and in Windows 2000 Server KB.