Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Creating Users in Stash with LDAP Authentication?

Justin Cooke
Justin Cooke March 10, 2015

Hi All,

I'm trying to connect our Stash 3.6.1 instance to the enterprise-wide ActiveDirectory system for user authentication with "Configure Internal with LDAP Authentication User Directory".  We're already using this same method with our JIRA and Confluence installations with no trouble.  However, the Stash implementation seems to be a bit less developed and I'm stuck when trying to get a user into Stash already existing in AD (my own AD account).

My main concern is the requirement to enter a password when creating a new user.  Unless I completely misunderstand, if I create a new Stash user with the "Delegated LDAP Authentication" User Directory listed as highest in the priority order, I'm simply allowing that user to login and the actual authentication will be delegated to LDAP.  However, the "Create User" dlg won't allow the emailed option and then forces you to create a password.  How does that make sense?

I read on this page: https://confluence.atlassian.com/display/STASH/Delegating+Stash+authentication+to+an+LDAP+directory "Move the delegated authentication directory to the top of the User Directories list and create the user manually (go to Administration > UsersCreate user). Using this manual method you must currently create a temporary password when creating users."  I tried that and entered a junk pwd.  However, I can't login using either that junk pwd or the real pwd for my AD account.

I also read through this: https://confluence.atlassian.com/display/STASHKB/Creating+new+users+fails+when+Delegated+LDAP+is+configured+with+Stash and that describes exactly what I'm experiencing.  However, that page seems to indicate that I ought to be able to login immediately with my newly added user using the true AD pwd (without ever using the temp/junk pwd I entered on creation).

I noticed that when creating new JIRA users in the LDAP directory, the pwd fields are disabled, as they should be.  Stash requires them.

If anyone has any advice on how LDAP authentication is supposed to work with Stash and how I can add my AD user account to Stash and login successfully, I'd appreciate it.  This seems much more complicated than it ought to be smile

Thanks!

Justin

Answer
Watch
Like Be the first to like this
1167 views

1 answer

0 votes
ThiagoBomfim
ThiagoBomfim
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 10, 2015

Hi Justin,

In regards to:

My main concern is the requirement to enter a password when creating a new user. Unless I completely misunderstand, if I create a new Stash user with the "Delegated LDAP Authentication" User Directory listed as highest in the priority order, I'm simply allowing that user to login and the actual authentication will be delegated to LDAP. However, the "Create User" dlg won't allow the emailed option and then forces you to create a password. How does that make sense?

Your logical thinking is perfect.

Let me reassure you that there are a fe known bugs at the moment causing the things you observed. The source of the the issues you described above with "Delegated LDAP" are originated on the following bug:

Which links you to another behaviour you described:

While STASH-3323 is not resolved (and it is dependent on a fix in the Embedded Crowd) we can't fix it in Stash. We're working on these fixes at the moment.

You've got it all figured out. The main issue for you is:

I tried that and entered a junk pwd.  However, I can't login using either that junk pwd or the real pwd for my AD account.

You should have been able to login with your real LDAP password as the password you used during creation time doesn't matter as you realised. Which error you get upon logging in? In addition to creating the user, did you also make sure the user is added to a group with minimum "Stash User" Global permission?

User accounts that have not been assigned "Stash User" permission or higher, either directly or through group membership, will not be able to log in to Stash. 

Another thing that could influence: what is configured in your "LDAP User Filter"? If the filter there doesn't encompass the right hierarchy in your LDAP tree, this user will never be able to login.

Did you also have a look at your atlassian-stash.log to see if any error comes up?

I hope these ideas help! smile

Best,
Thiago

View More Comments
Justin Cooke
Justin Cooke March 13, 2015

Thanks for the help, Thiago. No problem at all on the somewhat odd issues with requiring a pwd for the LDAP-authenticated accounts. As long as it works and we can login, we can workaround that. However, we still can't get the logins to work through LDAP delegated authentication. So, I create the user in Stash with a junk pwd and then try logging in with my real AD credentials. I get the standard: "Invalid username or password." (and I can also see this in the atlassian-stash-audit.log). From the atlassian-stash.log (with DEBUG logging enabled): Authentication for com.atlassian.stash.stash-authentication:crowdHttpAuthHandler failed - Bad credentials Yes, this new user was granted full "System Admin" rights under Global Permissions. And to reiterate, we are using these exact same settings successfully with our JIRA installation. Unless I missed it, there's no option to set an "LDAP User Filter" when configuring an "Internal with LDAP Authentication" user directory. I beleive that only appears when choosing the more complicated "LDAP" and "Microsoft Active Directory" user directories. Thanks! Justin Here are the verbose details from the log at the time of failed login (in case any of this helps): 2015-03-13 13:59:12,899 DEBUG [http-nio-10.16.198.79-80-exec-10] @Z3NS0Mx839x17559x0 10.252.40.61 "POST /j_stash_security_check HTTP/1.1" c.a.s.i.s.s.PluginAuthenticationProvider attempting authentication with authenticator com.atlassian.stash.stash-auth-crowd-sso:crowdSsoAuthHandler 2015-03-13 13:59:12,910 DEBUG [http-nio-10.16.198.79-80-exec-10] @Z3NS0Mx839x17559x0 10.252.40.61 "POST /j_stash_security_check HTTP/1.1" c.a.s.p.a.c.i.CrowdSsoAuthenticationHandler Skipping Crowd SSO as it is not enabled 2015-03-13 13:59:12,911 DEBUG [http-nio-10.16.198.79-80-exec-10] @Z3NS0Mx839x17559x0 10.252.40.61 "POST /j_stash_security_check HTTP/1.1" c.a.s.i.s.s.PluginAuthenticationProvider attempting authentication with authenticator com.atlassian.stash.stash-authentication:crowdHttpAuthHandler 2015-03-13 13:59:12,911 DEBUG [http-nio-10.16.198.79-80-exec-10] @Z3NS0Mx839x17559x0 10.252.40.61 "POST /j_stash_security_check HTTP/1.1" c.a.s.i.user.DefaultUserService Authenticating user: jcooke9 2015-03-13 13:59:12,955 DEBUG [http-nio-10.16.198.79-80-exec-10] @Z3NS0Mx839x17559x0 10.252.40.61 "POST /j_stash_security_check HTTP/1.1" c.a.s.i.l.DefaultLicensedUserCountCache User (name=jcooke9) was updated. repopulating license cache. 2015-03-13 13:59:12,978 DEBUG [http-nio-10.16.198.79-80-exec-10] @Z3NS0Mx839x17559x0 10.252.40.61 "POST /j_stash_security_check HTTP/1.1" c.a.s.i.s.s.PluginAuthenticationProvider Authentication for com.atlassian.stash.stash-authentication:crowdHttpAuthHandler failed - Bad credentials 2015-03-13 13:59:12,979 DEBUG [http-nio-10.16.198.79-80-exec-10] @Z3NS0Mx839x17559x0 10.252.40.61 "POST /j_stash_security_check HTTP/1.1" c.a.s.i.a.PluginHttpAuthenticationFailureHandler onAuthenticationFailure - delegating to com.atlassian.stash.rest.auth.RestAuthenticationFailureHandler 2015-03-13 13:59:12,979 DEBUG [http-nio-10.16.198.79-80-exec-10] @Z3NS0Mx839x17559x0 10.252.40.61 "POST /j_stash_security_check HTTP/1.1" c.a.s.i.a.PluginHttpAuthenticationFailureHandler onAuthenticationFailure - delegating to com.atlassian.stash.internal.auth.ScmAuthenticationFailureHandler 2015-03-13 13:59:12,979 DEBUG [http-nio-10.16.198.79-80-exec-10] @Z3NS0Mx839x17559x0 10.252.40.61 "POST /j_stash_security_check HTTP/1.1" c.a.s.i.a.PluginHttpAuthenticationFailureHandler onAuthenticationFailure - delegating to com.atlassian.stash.internal.auth.BasicAuthChallengeFailureHandler 2015-03-13 13:59:12,979 DEBUG [http-nio-10.16.198.79-80-exec-10] @Z3NS0Mx839x17559x0 10.252.40.61 "POST /j_stash_security_check HTTP/1.1" c.a.s.i.a.PluginHttpAuthenticationFailureHandler onAuthenticationFailure - delegating to com.atlassian.stash.internal.auth.RedirectingAuthenticationFailureHandler 2015-03-13 13:59:12,979 DEBUG [http-nio-10.16.198.79-80-exec-10] @Z3NS0Mx839x17559x0 10.252.40.61 "POST /j_stash_security_check HTTP/1.1" c.a.s.i.a.PluginHttpAuthenticationFailureHandler onAuthenticationFailure - com.atlassian.stash.internal.auth.RedirectingAuthenticationFailureHandler handled authentication failure

Like
ThiagoBomfim
ThiagoBomfim
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 15, 2015

Hi Justin, From "So, I create the user in Stash with a junk pwd and then try logging in with my real AD credentials. I get the standard: "Invalid username or password." (and I can also see this in the atlassian-stash-audit.log). From the atlassian-stash.log (with DEBUG logging enabled): Authentication for com.atlassian.stash.stash-authentication:crowdHttpAuthHandler failed - Bad credentials" Sorry to ask you that, but it sounds like you're not going with the right credentials. Sorry to ask you this, but did you try seeing if there is an autocomplete in your browser interfering with password?

Like
ThiagoBomfim
ThiagoBomfim
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 15, 2015

As to "Unless I missed it, there's no option to set an "LDAP User Filter" when configuring an "Internal with LDAP Authentication" user directory. I beleive that only appears when choosing the more complicated "LDAP" and "Microsoft Active Directory" user directories." You're partially right. You'd only be able to see the the "User Object Filter" if you chose "Copy user on Login". So I would focus on the "Base DN" and making sure it is not a "too narrow" one.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events