Service Desk customers created as Jira internal users can't update their password.
JIRA Service Desk 3.16.1 + Jira Software 7.13.1
User Directories: Jira Internal Directory at the top + second in the list Microsoft Active Directory as read only
I created internal users for customers of a Service Desk project having these configurations
- Who can raise requests? Customers who are added to the project
- Who can customers share requests with? Any customer or organization, by searching in this project
These customers do not have a Service Desk license assigned.
I would like them to be able to update their password, but whe they try do update their own profile they get the message
"you cannot edit your name, password or e-mail because they are stored in a read-only user directory".
How can I set up Jira internal directory as Read&Write?
Directory Configuration as follows:
Directory ID: 1
Name: Jira Internal Directory
Active: true
Type: INTERNAL
Created date: Thu Feb 28 11:57:51 CET 2013
Updated date: Thu Feb 28 11:57:51 CET 2013
Allowed operations: [CREATE_GROUP, CREATE_ROLE, CREATE_USER, DELETE_GROUP, DELETE_ROLE, DELETE_USER, UPDATE_GROUP, UPDATE_GROUP_ATTRIBUTE, UPDATE_ROLE, UPDATE_ROLE_ATTRIBUTE, UPDATE_USER, UPDATE_USER_ATTRIBUTE]
Implementation class: com.atlassian.crowd.directory.InternalDirectory
Encryption type: atlassian-security
Attributes: "user_encryption_method": "atlassian-security"
Any suggestion is welcome!
2 answers
1 accepted
OK, just to summarize: if both Jira Internal Directory and External authentication (like Active Directory in our case) are configured as user directories in Jira, despite the fact that Jira Internal Directory is at the top of the User Directories list, locally created users can't change their password or take advantage of the forgot password link visible on the login screen.
This happens when in cog | System | General Settings | Edit settings | External user management is ON.
Don't worry about users in your External LDAP Directory, as long as you configure it as Read Only or Read only with local groups they won't be allowed to change their AD password via Jira application.
Hope this can save time to other Jira admins.
Hi,
I understand that you have both the Jira Internal user directory and another Active Directory in Jira, and that you want to allow your Service Desk customer users to be able to change their password in Jira.
That specific error message you see there happens when the user account exists in a read only directory. While Jira allows you to have multiple user directories, and each of those directories could potentially have the exact same user names in them, Jira will only let individual users login using the credentials that exist in the top ordered directory within Jira. This is noted in Managing multiple directories.
That said, I see you have the internal directory on top. The only way you would see that specific "you cannot edit your name, password, ..." message is if that specific user only exists in the external user directory and not in the Jira internal directory. OR if that user logged into Jira when the other directory was on top, and while they are still logged in, a Jira admin re-orders the directories. The Jira internal user directory is always in a read/write state, unless the internal directory has been disabled entirely.
We can try to confirm this likely cause by looking at the userbrowser in Jira, Cog -> User Management -> Users or the URL /secure/admin/user/UserBrowser.jspa On this page search for the username in question. If the user account exists in both AD and the Internal directory, the search results should show us that user name exists twice in Jira, and indicates the user directory. It could also be something we can lookup via SQL if need be, but this method seems to be the easiest way to confirm if this is the problem here. You should see results like this:
As for ways to correct this, well it might just be as simple as creating that user account in the Internal directory. From there the user would need to know what their credentials where in Jira, but they could then change them as needed once they can login. Alternatively, you could change the User directory settings within Jira to switch the directory from Read-only to Read/Write. Just understand that this setting then allows all user account changes made in Jira for those accounts to write them back to the Active Directory itself.
Please let me know if you have any questions about this.
Andy
Jira internal directory has always been on top, when user was created as well as when he logged in.
There is only one user entry for this specific user, never created in Active Directory but only in Jira ID.
The point is: if Service Desk customers don't own the SD license but they have been created as internal users in order to narrow the customer portal access, are they anyway allowed to change their password?
Pre-requisites are: Active Directory can't be R/W, customers can't have a SD license assigned, Customer Portal access has to be limited as much as possible.
Thank you for your help
The matter is about Service Desk Curtomers: I do expect some features to be available for Cutomers as well, whithout having to assign a Service Desk License.
Might be this point the misunderstanding?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.