License is not counted using FreeIPA User Directory

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。

問題

When using LDAP FreeIPA as User Management for Bitbucket and having users that are members of multiple groups, if the Primary Group has global permissions in Bitbucket Server, the user is counted against the license. If the Primary Group does not have global permissions the user is not added to the second group and is not counted against the license.


原因

Bitbucket server doesn't use the memberOf attribute during synchronization causing group membership to not sync. The information below is shown in the logs upon synchronizing users from external user directory:


2018-07-12 15:14:01,718 ERROR [Caesium-1-1]  c.a.c.d.l.mapper.GroupContextMapper Failed to map attribute <gidNumber> from context with DN <cn=users,cn=accounts,dc=bitbucket,dc=local>
java.lang.NullPointerException: null
2018-07-12 15:14:01,740 WARN  [Caesium-1-1]  c.a.c.d.DbCachingRemoteChangeOperations Could not add the following missing users to group [ admins ]: [uid=admin,cn=users,cn=accounts,dc=bitbucket,dc=local, uid=admin2,cn=users,cn=accounts,dc=bitbucket,dc=local, uid=rmadal,cn=users,cn=accounts,dc=bitbucket,dc=local, uid=internaluser,cn=users,cn=accounts,dc=bitbucket,dc=local]


It is using the gid number attribute (in user LDIF) to detect the membership but each user only has a single gid number so other groups aren't added to the group membership.

ソリューション

Go to Administration --> User Directories --> FreeIPA server --> Membership Schema Settings and in the Use the User Membership Attribute, uncheck When finding the user's group permission.

Also it's necessary to change the Directory Type option to Open LDAP (without using POSIX schema). This way the memberOf attribute will be used.





最終更新日 2018 年 8 月 30 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.