Migrating local group memberships of Delegated Ldap User Directory when switching to another external directory with local groups in Bitbucket Server/DC

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問


プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く

要約

When switching to a new external Delegated LDAP directory with local groups, containing the same set of users as the one already configured in Bitbucket Server, local group membership for groups other than the default stash-users is lost. This can affect project and repository permissions that were granted through group membership, and the users will no longer be able to access those repositories after switching to the new directory


環境

7.6.0

診断


After enabling the new external directory, local groups do not contain any members from the new directory. This can be verified by running the below query:

Get directory_id
select * from cwd_directory;

Get the id associated with the New Delegated LDAP Directory


Replace the <new_directory_id> with the id retrieved from the previous query

Check the Membership of the Local groups
select A.lower_parent_name, A.child_name, B.directory_name
from cwd_membership A,
cwd_directory B
WHERE directory_id = B.id
AND A.directory_id = <new_directory_id>
AND A.lower_parent_name IN (select lower_group_name from cwd_group where is_local = 'T' AND directory_id=<new_directory_id>);

This will return an empty results because there are no memberships linked to the Local groups of the New Delegated User directory. 

原因

This is a known issue tracked in  CWD-4886 - Getting issue details... STATUS

ソリューション

  • Instead of creating a New Delegated Ldap User directory update the existing Delegated Ldap user directory, that way the Local groups are still tied to the same directory_id and the group memberships will be retained.
  • You can confirm if the Group memberships are intact by running the below query again

    • Replace the <directory_id> with directory ID of the Delegated Ldap directory which can be retrieved from the query we used before


Check the Membership of the Local groups
select A.lower_parent_name, A.child_name, B.directory_name
from cwd_membership A,
cwd_directory B
WHERE directory_id = B.id
AND A.directory_id = <directory_id>
AND A.lower_parent_name IN (select lower_group_name from cwd_group where is_local = 'T' AND directory_id=<directory_id>);

(warning) Test this configuration on a test environment before updating the same on the Production directly

Last modified on Mar 31, 2022

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.