LDAP queries contain AD attribute 'PasswordNeverExpire'
Platform Notice: Data Center Only - This article only applies to Atlassian apps on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Problem
LDAP queries sent from Jira contain search parameters for users that do not have expiration date.
Diagnosis
The following query operation appears structure in the atlassian-jira.log:
2023-08-17 08:3:47,337-0400 Caesium-1-4 DEBUG ServiceRunner [c.a.c.d.ldap.monitoring.TimedSupplier] Execute operation search with handler on baseDN: DC=XXX,DC=net, filter: (&(&(objectCategory=Person)(sAMAccountName=*))(|(accountExpires=0)(!(accountExpires=*))(accountExpires>=133367490588080000))) Cause
When the LDAP configuration option Filter out expired users is enabled, Jira will search for users that are not expired, and for those who do not have an expiration date at all.
Solution
Resolution
Disable the Filter out expired users option:
Navigate to your LDAP directory at Administration > User Management > User Directories > Your LDAP > Edit
Untick Filter out expired Users under Advanced Settings
Save your LDAP settings
Disabling this option means Jira will synchronize users regardless of account expiration, which may result in additional users appearing in your Jira User Directories. These users will not be able to authenticate to Jira, however, because authentication occurs will still be controlled by LDAP authentication.
Related
Was this helpful?