Hi Marcin!

Thank You for Your detailed reply!

// Secondly in Jira you have selected that "Update group memberships when logging in":
// "For newly added users only". This means that even when user logs in to product
// memberships

I think this was the problem, with the users still being able to login, altough the group-membership was removed.

Yes, I am manually creating the groups within crowd.

At first I had the option "Allow all users from this directory to authenticate.",
so users got created at first login.

Currently I defined some groups which are allowed to authenticate.
In this case I have to pre-create/import the users in order to enable them to login.

With this I ran into the problem, that I dont know the password of the users, because the authentication is managed via the Delegated Authentication LDAP functionality.

How can I mange to pre-create/import the users without the password ?

Regards,
Hans

Hi @Hans Pesata ,

I am not sure what do you mean by 'pre-create' users? You mean you are creating those users manually? Or are you importing them somehow to Crowd?

As I understood your setup you've been using remote LDAP directory that Crowd is connected to. What is the reason you cannot create a connector type of directory and have your users synchronized from there?

Best Regards,

Marcin Kempa

Hi Marcin!

I was under the imperssion that using a "Delegated Authentication Directory" is the way to go. The Authentication is done through the LDAP Connector and the Users and Groups are manged in the Directory.

How can I synchronize the users ?

Regards,
Hans

Hi @Hans Pesata 

If you would like to have your users synchronized from remote LDAP or AD directory you would need to create a connector type of directory rather than a delegated one https://confluence.atlassian.com/crowd/configuring-an-ldap-directory-connector-18579550.html

Unfortunately there is no way to change type of directory, you would need to recreate it.

There are some things to keep in mind. When you go for Connector type of directory, you would need to make sure that you have you LDAP filters right so that Crowd synchronizes only those users you would like to manage and give access to applications. If you configure LDAP filter to broadly you may run into problems that your Crowd instance may run out of license as it will pull more users from LDAP then you have licenses seats reserved in Crowd (provided all those users can login to Crowd or applications connected to Crowd, which means they are in groups that allow them to do so or you allow all users from directory to authenticate).

If you would like to know more on types of Crowd's directory please check this documentation https://confluence.atlassian.com/crowd/adding-a-directory-18579549.html. Also you may find following webinars useful:

• https://www.atlassian.com/webinars/software/centralize-identity-management-using-crowd-data-center
• https://www.atlassian.com/webinars/software/managing-your-atlassian-users-as-you-grow-crowds-tips-and-tricks

Hope that helps,

Marcin Kempa

Hi @Marcin Kempa !

I followed Your suggestion and created a "Generic Directory Server" Directory Connector with an approriate LDAP Configuration and User filter. Because we dont need the groups from the LDAP Server, I am using (objectclass=unknown) as group LDAP Filter, so no groups will be synced. This works. Is there a better way to not sync groups from LDAP ?

I created some groups within the directory and assigned users to them and the users can successfully login to the assigned application, which allows the groups to log in.

I discovered an error message in the crowd log, regarding the created groups:

2019-11-27 10:41:23,849 http-nio-8095-exec-6 ERROR [console.action.principal.UpdateGroups] Membership already exists in directory [13565954] from child entity [xxxxxx@yyyyyy.zzz] to parent entity [abc.def.ghi]

Any idea what this is about ?

Thank You again for Your persistence and support!

Regards,
Hans

Hi @Hans Pesata 

The error you've posted is thrown when there is already a relation between group and group (if nesting is enabled) or between group and user, please check cwd_membership table for those entries.

Regarding

I am using (objectclass=unknown) as group LDAP Filter, so no groups will be synced. This works. Is there a better way to not sync groups from LDAP ?

I am not sure if this is the best approach, I am not 100% sure but I am worried that you may fetch some objects that just do not have all required attributes set and are mapped to that object type https://ldapwiki.com/wiki/ObjectClass%3Dunknown.

Have you tried to point group DN to a subtree that does not exists or does not contain any groups?

Regards,

Marcin Kempa

Hi @Marcin Kempa 

Yes, I am using a non-existing DN for groups, thanx for the hint!

Is there a possibility to clear the users from my directory to make a full fresh LDAP-Sync ?

Regards,
Hans

@Hans Pesata there is no such functionality to do that on existing directory. I would suggest to just recreate it.

Regards,

Marcin Kempa

@Marcin Kempa 

I used an invalid user object filter, started a sync, -> all users were gone
afterwards used the valid user filter started a sync again -> all users were available again

Regards,
Hans

@Hans Pesata 

Is there any thing else I can help you with? Were those answers helpful? If so would you ming changing the status as 'answered' it will help others to find solution if they are running in similar problems.

Thank you!

Marcin Kempa

@Marcin Kempa 

I had to revert to using the filter (objectclass=unknown) in order to omit syncing the groups, because using a  non-existing DN for the groups caused an exception during the sync process and stopped it.

Thank You for Your support!

Regards,
Hans