Ignoring disabled users in LDAP Active Directory [zt]

https://answers.atlassian.com/questions/59972/ignoring-disabled-users-in-ldap-active-directory

Q:

Our Jira and LDAP Active Directory (Microsoft) are integrated.

As a company policy, we never delete users from our AD, but disable them.

However, in Jira I see all users (both enabled and disabled).

How do I configure my Jira to ignore disabled users?

Thanks.

A:

You could perhaps filter by the LDAP attribute userAccountControl

Based on Microsoft Support’s explanation:

The attribute that holds this information is the userAccountControl attribute. This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies userAccountControl with the UF_ACCOUNTDISABLED bit set would resemble this:

1
(!(UserAccountControl:1.2.840.113556.1.4.803:=2))

…would be all accounts that are not disabled.

So, in JIRA Admin | Users | User Directories

Select your AD configuration then expand the User Schema Settings heading

In the User Object Filter field, paste something like…

1
(&(objectCategory=Person)(sAMAccountName=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

This is the default filter for AD with the additional filter added.

Or the selected field here:

Ignoring_disabled_users_in_LDAP_Active Directory