Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Switching authenticaiton type from LDAP to internal delegated LDAP

Max Vorobiev
Max Vorobiev October 15, 2014

Dear experts,

We've got a production Stash server set up to authorize users via LDAP. The registration is as easy as logging in for the first time. But such ease is already starting to impact our license count.

So it was decided to restrict this by switching to another authentication method - delegated LDAP on the same global directory.

But there are lots (hundreds) of registered users already, all of them having certain access permissions.

What would be the most correct and less painful way of changing the authentication method? My biggest concern is to keep the list of current users with all their settings, i.e. they should under no circumstances be "forgotten" by the server.

Thank you in advance.

Answer
Watch
Like Be the first to like this
527 views

2 answers

1 accepted

0 votes
Answer accepted
Michael Heemskerk
Michael Heemskerk
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 17, 2014

Hi Max,

The safest way is to create a new user directory using delegated LDAP and disabling, but not deleting your old directory. This will prevent the existing users from being marked as deleted, retain all existing settings and still stop the directory from synchronizing new users.

The steps:

  1. Optional: Create a sysadmin user in the internal user directory so you can always login as a sysadmin if things go wrong.
  2. Take a backup of the system before you begin
  3. Set up your new user directory based on delegated LDAP authentication
  4. Change the order of your user directories to make the new delegated LDAP directory come before your old one.
  5. Disable the old user directory.
  6. Verify that things work as expected. Create a test user in LDAP and verify that you can login to Stash as that user. Verify that existing users can still login and that they have retained their permissions and SSH keys.

 

View More Comments
Max Vorobiev
Max Vorobiev October 27, 2014

Michael, When I disable the "old" directory, all users from it just disappear from the users list, and I'm afraid they should be all created in Stash anew if I want them authenticated via the delegated LDAP. This isn't what I expected. Just to clarify: the LDAP directory is one and the same in the both cases (the "old" pure LDAP and "new" delegated LDAP), so I would expect Stash to somehow take over the existing accounts and just authorize them via LDAP. However if I leave them both - even with the "new" above the "old" in the list - users just keep on self-registering as before.

Like
Reply
0 votes
Max Vorobiev
Max Vorobiev October 22, 2014

Hi Michael,

Thank you for the detailed instruction!

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events