Migrating local group memberships of Delegated Ldap User Directory when switching to another external directory with local groups in Bitbucket Server/DC
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
要約
When switching to a new external Delegated LDAP directory with local groups, containing the same set of users as the one already configured in Bitbucket Server, local group membership for groups other than the default stash-users is lost. This can affect project and repository permissions that were granted through group membership, and the users will no longer be able to access those repositories after switching to the new directory
環境
7.6.0
診断
After enabling the new external directory, local groups do not contain any members from the new directory. This can be verified by running the below query:
select * from cwd_directory;Get the id associated with the New Delegated LDAP Directory
Replace the <new_directory_id> with the id retrieved from the previous query
select A.lower_parent_name, A.child_name, B.directory_name
from cwd_membership A,
cwd_directory B
WHERE directory_id = B.id
AND A.directory_id = <new_directory_id>
AND A.lower_parent_name IN (select lower_group_name from cwd_group where is_local = 'T' AND directory_id=<new_directory_id>);This will return an empty results because there are no memberships linked to the Local groups of the New Delegated User directory.
原因
This is a known issue tracked in CWD-4886 - Getting issue details... STATUS
ソリューション
- Instead of creating a New Delegated Ldap User directory update the existing Delegated Ldap user directory, that way the Local groups are still tied to the same
directory_idand the group memberships will be retained. You can confirm if the Group memberships are intact by running the below query again
- Replace the
<directory_id>with directory ID of the Delegated Ldap directory which can be retrieved from the query we used before
- Replace the
select A.lower_parent_name, A.child_name, B.directory_name
from cwd_membership A,
cwd_directory B
WHERE directory_id = B.id
AND A.directory_id = <directory_id>
AND A.lower_parent_name IN (select lower_group_name from cwd_group where is_local = 'T' AND directory_id=<directory_id>);
Test this configuration on a test environment before updating the same on the Production directly