Hey Joe,
NB: we have Crowd as in interim step between our applications and the user stores, so while the below is correct in our environment, I can only assume it will the same/close in your type of setup, but there is a chance it may just be different enough that the below won't apply.
The permissions required on the AD/LDAP service account you're connecting with depend on what you want to be able to control. We have a number of directories integrated but all they do is read from the AD's and LDAP's - so the accounts just need to be read only and based on the permissions set (in Crowd, we specify that directory doesn't allow user creation/etc). It pulls all the information into Crowd and changes MUST be made back at the source (AD/LDAP).
In 2 of our AD's, we have a group structure in AD that represents the permissions we want in the Atlassian applications, so we pull the users/groups/memberships straight through to the apps. We then use these groups in application licensing and global permissions.
The 2 x LDAP's have no group structure that relates to how we want to grant permissions in our Atlassian applications though, so we only pull through users (our LDAP filter for groups tries to match a random string that no group will ever meet, so we never get any groups). Once the users are in Crowd, on those directories, we allow local groups to be created for that directory so the groups sit in Crowd and we then put the users into the relevant groups.
Hopefully the above helps you get more insight into both of your questions - if you've still got questions (or if it makes 0 sense, it is Friday afternoon...) just yell out.
CCM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.