How to filter out the LDAP disabled users from Jira?

Summary

Problem

You noticed that some users that have been disabled in LDAP are still showing up in Jira as inactive users.

Diagnosis

You have a LDAP configuration in Jira of CONNECTOR type.

You have disabled some users directly in LDAP. A disabled user will have the following value for the UserAccountControl attribute:

But, even after the LDAP synchronization, they are still showing up in Jira with inactive status:

Cause

By default, Jira implements a LDAP filter that will not filter those users out, despite them being disabled in LDAP.

Default LDAP filter for Microsoft Active Directory:

Solution

Resolution

You must change the LDAP filter if you want Jira to hide those users.

To change the filter, follow these steps:

1. Navigate to your LDAP directory at Administration > User Management > User Directories > Your LDAP > Edit

2. Expand the User Schema Settings section

3. Change the User Object Filter to:

   1 (&(objectCategory=Person)(sAMAccountName=*)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

4. Save your LDAP settings

5. Run the synchronization, so the changes can be reflected

You should notice that, using our previous example, one disabled user is gone, while the other is still being displayed, but now with a [ X ]:

This can happen when the remaining user has historic data in Jira, so, their data will remain in the database linked to their username. The [ X ] means that Jira was not able to find the user in the LDAP, due to the LDAP filter in place.