How to migrate between two external LDAP domains with different username formats
プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。
You've setup Bitbucket Server connected to an external LDAP User Directory and now your organization is migrating users to another domain or LDAP directory where the username format is different. You want to migrate to the new directory without losing any data (pull requests, personal forks etc) associated with users/usernames from your old LDAP. Simply adding the new directory then disabling the original directory will not transfer over those associations.
DomainA --> UserA --> username: charlieatlassian
DomainB --> UserA (same user in Domain A) --> username: charlie.atlassian
You are planning to discontinue
DomainA, so you want to copy/move/migrate
charlie.atlassian) without any data loss.
- You need to be logged in as an admin user authenticating with the Internal Bitbucket .
- Disable the external directory.
- Create users in the Internal Directory with their username matching the original/old external directory. It may be worthwhile to script this using something like the Bitbucket REST API to avoid manually entering these. (See Bitbucket core Rest API)
- Promote the Internal Directory above the external directory. At this point if you had manually set a password for the Internal Directory users, you should be able to log in as one and verify that associations are still intact.
- Rename users to use the username format of the new external directory. As above, it's probably best to script or otherwise automate this step.
- Add the new directory connector below the internal.
- Synchronize the directory manually. If you sync at this point, you should not see new users in Bitbucket because they will have the same usernames as the users in the Bitbucket Internal Directory.
- Promote the new directory connector above the Internal Directory. (Now if you look again at user directory the renamed users will only have the directory connector as the user directory)
Note: You can also move from the internal to a new external directory, starting from step 5 and following the rest of the steps.
Removing the internal users created for the migration
After you verify that the migration is successful, you should remove the internal users created to accomplish it. One reason for that would be that if users from the external AD are ever removed, the internal user will remain and consume a license. The search function may also return two users.
To do so:
- The external directory is above the Bitbucket internal directory, so all (or most) users appear to be from the external directory
- Move the Bitbucket internal directory above the external (do not disable any directory!)
- Now all (or most - the duplicated users we created for the rename) users should appear to be coming from Bitbucket Internal directory, and there are no duplicates in the Users UI interface.
- Delete one test user from the Bitbucket Internal directory. Now, the same user will still appear in the Users interface, with the "external directory" listed next to their name.
- Log in as that user and check that their history is intact (pull request activity, personal repos)
- Promote the external directory above the internal.
One important limitation here is that Group membership information won't be maintained using this approach. If groups are managed entirely externally, you'll need to make sure before migrating that the correct groups are configured in the new directory.