License is not counted using FreeIPA User Directory

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

When using LDAP FreeIPA as User Management for Bitbucket and having users that are members of multiple groups, if the Primary Group has global permissions in Bitbucket Server, the user is counted against the license. If the Primary Group does not have global permissions the user is not added to the second group and is not counted against the license.

Cause

Bitbucket server doesn't use the memberOf attribute during synchronization causing group membership to not sync. The information below is shown in the logs upon synchronizing users from external user directory:

1 2 3 2018-07-12 15:14:01,718 ERROR [Caesium-1-1] c.a.c.d.l.mapper.GroupContextMapper Failed to map attribute <gidNumber> from context with DN <cn=users,cn=accounts,dc=bitbucket,dc=local> java.lang.NullPointerException: null 2018-07-12 15:14:01,740 WARN [Caesium-1-1] c.a.c.d.DbCachingRemoteChangeOperations Could not add the following missing users to group [ admins ]: [uid=admin,cn=users,cn=accounts,dc=bitbucket,dc=local, uid=admin2,cn=users,cn=accounts,dc=bitbucket,dc=local, uid=rmadal,cn=users,cn=accounts,dc=bitbucket,dc=local, uid=internaluser,cn=users,cn=accounts,dc=bitbucket,dc=local]

It is using the gid number attribute (in user LDIF) to detect the membership but each user only has a single gid number so other groups aren't added to the group membership.

Resolution

Go to Administration --> User Directories --> FreeIPA server --> Membership Schema Settings and in the Use the User Membership Attribute, uncheck When finding the user's group permission.

Also it's necessary to change the Directory Type option to Open LDAP (without using POSIX schema). This way the memberOf attribute will be used.

Updated on April 8, 2025
Platform
Data Center only
Product
Bitbucket Data Center
On this pageProblemCauseResolution

Still need help?

The Atlassian Community is here for you.
Ask the Community