Stash Active Directory Multiple Domains and domain prefixes

Andrew DesLauriers August 5, 2014

We are trying to configure Stash with Active Directory.

We have domain1\joe and domain2\fred

User joe can connect with 'joe', but cannot connect with domain1\joe.

User fred cannot connect at all (user not found).

I've been working with our Active Directory administrator and we have tried everything we can with no luck. Any ideas why we're stuck in one domain and can't use domain\user?

1 answer

1 accepted

0 votes
Answer accepted
Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 5, 2014

Hi Andrew, just checking if I understood it right, you're using domain1\joe a the username field in the log in screen, is that right? If so, Stash wasn't designed to work this way.

You should insert only the username of the user in the username field and in case you have multiple domains, you can either configure one directory pointing to the root domain (e.g.: dc=example,dc-com) or multiple directories each one pointing to a single sub domain (e.g.: dc=sub1,dc=example,dc=com)

I hope it helps.

Cheers

Andrew DesLauriers August 6, 2014

No luck so far getting it to authenticate against another domain.

Even if we are able to add the additional domains, we will have too many duplicate user ids. The domain prefix is a necessity.
It would be preferable if we did not have to modify Stash after adding a domain in the future.

Are there any plans at Atlassian to support ldap authentication using the standard domain\user format? We may not be able to use Stash without it.

Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 6, 2014

Hi Andrew, as far as I'm aware we don't have plans to change the way our products integrate with LDAP and it's mainly because the way it current works fit pretty much all scenarios.

It's possible that we can find a configuration that works for you, but it'll depend on the topology of your directory service. The most common AD topologies are:

  • (a) 1 Domain (e.g.: dc=example,dc-com) with more than 1 domain controllers. All the domain controllers hold the same data because data is replicated between DCs
  • (b) Multiple domains in 1 tree (1 root = dc=example,dc=com) and may have more than 1 sub-domains (e.g.: dc=sub1,dc=example,dc=com, dc=sub2,dc=example,dc=com, etc). This will have more than 1 domain controllers.
  • (c) Multiple domains with more than 1 trees in the same forest. Or even multiple forests. I think it's very rare. (e.g.: dc=sub1,dc=exampleA,dc=com, dc=sub2,dc=exampleB,dc=com, etc)

Can you tell us which one you're using?

Cheers

Andrew DesLauriers August 6, 2014

We are using option C. We have a two way transitive trust with corporate headquarters, but as we were an acquisition weve maintained our own separate AD forest and domain.

We have user accounts from corporate in domain local groups here in our domain and they are allowed to authenticate and access resources that exist here. In Stash all user accounts and groups were imported but when I look in the domain local group it shows it as being empty, the accounts from the mothership dont exist according to Stash.

So how do we authenticate in Stash using a domain trust, or can we?

Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 7, 2014

I believe one thing you could try is create a LDAP directory in Stash to each one of your root forest domain (e.g.: dc=exampleA,dc=com, dc=exampleB,dc=com, etc), then you point the directories to your Global Catalog (3268). This is read-only, but it contain all users, groups, and memberships from across your Forest.

Matthew Sandoz April 7, 2015

We have B) - how do we configure that? AMER.CORP.LOCAL vs AMEA.CORP.LOCAL etc... also our groups are all in AMER.CORP.LOCAL but refer to people in the various domains...

Cristian Coleasa September 6, 2015

Option C here: with groups from one domain containing users from a different forrest. Groups in stash don't show the users which are not from the same domain as the parent group.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events