Community
Products
Bitbucket
Questions
BitBucket Server lets ANYONE view ANYTHING and AUTOMATICALLY adds them to our licence count

BitBucket Server lets ANYONE view ANYTHING and AUTOMATICALLY adds them to our licence count

Hi,

As the subject says, our BitBucket (10 licence version):

* Allows anyone with an AD login access to anything

* Automatically adds that user to our stash-users so it contributes to our licence count

We trialled the product and were really impressed by it, but this could be terminal. We cannot entertain this scenario from a cost/operational and security perspective.

I can't see how we can prevent this behaviour.

We:

* Do not have Public repos

* Operate on a private network (Active Directory managed)

* Have a single group ("stash-users") within a small team of developers. No-one else should have access.

I'd welcome guidance on this.

Thanks very much

Nathan

2 answers

2 votes

Hi Nathan,

It sounds like your directory settings are bit mixed up.

The two options you'll probably have to look at are

Default Group Memberships, which determines which groups a user will be added to upon login, and User Object Filter, which allows you filter users by group membership by for instance adding (memberOf=cn=stash users,ou=some unit,dc=company,dc=com) as filter criterion so that only users who are members of this group are actually able to authenticate.

For more see:

https://confluence.atlassian.com/bitbucketserver/delegating-bitbucket-server-authentication-to-an-ldap-directory-776640402.html

Cheers,

Christian

Premier Support Engineer

Atlassian

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

1 vote

Developing:

It _seems_ that a user who has not been in the system before is allowed in and is automatically added to the *stash-users* group.

This is very bad from a licensing and security perspective.

If I _remove_ that user explicitly from the *stash-users* group, the next time they try they get the "You do not have permission to access Bitbucket" message and can't log in.

Which suggests BitBucket has _rememberd_ they had access and this was removed.

That sounds too crazy to be actually true.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Yes, "stash-users" is a very special group - upon successful login, anyone who tries to login to Bitbucket (the first time) gets added to it.

I would keep the "stash-users" group as it is, but remove it from Global Permissions.

Then in Global Permissions designate a different group (one from AD) as your "Bitbucket User" group.

The reason to keep "stash-users" group (but not associate it with any permissions) is that it's still very handy to have a quick way to see who has tried to login.