Switching authenticaiton type from LDAP to internal delegated LDAP

Max Vorobiev October 15, 2014

Dear experts,

We've got a production Stash server set up to authorize users via LDAP. The registration is as easy as logging in for the first time. But such ease is already starting to impact our license count.

So it was decided to restrict this by switching to another authentication method - delegated LDAP on the same global directory.

But there are lots (hundreds) of registered users already, all of them having certain access permissions.

What would be the most correct and less painful way of changing the authentication method? My biggest concern is to keep the list of current users with all their settings, i.e. they should under no circumstances be "forgotten" by the server.

Thank you in advance.

2 answers

1 accepted

0 votes
Answer accepted
Michael Heemskerk
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 17, 2014

Hi Max,

The safest way is to create a new user directory using delegated LDAP and disabling, but not deleting your old directory. This will prevent the existing users from being marked as deleted, retain all existing settings and still stop the directory from synchronizing new users.

The steps:

  1. Optional: Create a sysadmin user in the internal user directory so you can always login as a sysadmin if things go wrong.
  2. Take a backup of the system before you begin
  3. Set up your new user directory based on delegated LDAP authentication
  4. Change the order of your user directories to make the new delegated LDAP directory come before your old one.
  5. Disable the old user directory.
  6. Verify that things work as expected. Create a test user in LDAP and verify that you can login to Stash as that user. Verify that existing users can still login and that they have retained their permissions and SSH keys.

 

Max Vorobiev October 27, 2014

Michael, When I disable the "old" directory, all users from it just disappear from the users list, and I'm afraid they should be all created in Stash anew if I want them authenticated via the delegated LDAP. This isn't what I expected. Just to clarify: the LDAP directory is one and the same in the both cases (the "old" pure LDAP and "new" delegated LDAP), so I would expect Stash to somehow take over the existing accounts and just authorize them via LDAP. However if I leave them both - even with the "new" above the "old" in the list - users just keep on self-registering as before.

0 votes
Max Vorobiev October 22, 2014

Hi Michael,

Thank you for the detailed instruction!

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events