Hello,

we are runnning a Bitbucket server instance (version 5.9) with internal user directory only. Now we are planning to hand-over user authentication to LDAP. Current user name scheme in the Bitbucket internal directory is "forename.surname". From LDAP we recieve the user name scheme "forename.surname@mycompany.com".

We tend to use the "delegated user authentication only" approach as described in Delegating Bitbucket Server authentication to an LDAP directory. We run some tests in our development instance (Bitbucket server version 5.13). The connection to LDAP is stable and works as expected. Users were synchronized and put into the correct default group. As next step we renamed user names from internal directory user name scheme to LDAP user name scheme, e.g. from "john.doe" to "john.doe@mycompany.com". From now login was possible with "john.doe@mycompany.com" and LDAP password only. That's what I expected.

However, I discovered user "john.doe@mycompany.com" exists twice in Bitbucket server's database (db cwd_user): One entry is linked to the internal directory and the other one is connected to external directory (LDAP).

The document Deleting users and groups explains what will happen if users are deleted. And now my confusion begins: As far as I understood a user who is deleted, let's assume in LDAP, will be not deleted in Bitbucket server internal directory because Bitbucket Server assumes the administrator intended to migrate the user between directories. But this is not my intention in this szenario.

How can I reliably avoid that a user from internal user directory will be revived, if the user with same name is removed from LDAP? Unfortunately it is not possible to run comprehensive test because my access to LDAP is restricted to read only.

Perhaps I missed an important detail or I missunderstood something. Therefore I would be glad about every hint.

Regards,
Marko