Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Will permissions change if we switch from internal to external directory

Rex Core
Rex Core February 6, 2013

We may not have our LDAP server ready when we bring up our Stash server, so we were wondering if the project and repository permissions will remain the same when we switch from internal user accounts to LDAP authenticated accounts, external directory.

Thanks,

Rex

Answer
Watch
Like Be the first to like this
417 views

2 answers

1 accepted

0 votes
Answer accepted
seb
seb
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 6, 2013

Hi Rex,

I am not sure that this will work with Stash. Stash references users by their primary key in the database (an integer) and not by the username (which may be what JIRA does).

As such, creating a user "rex" internally may have the user id 1, but when you switch to your LDAP backed user source the user "rex" may end up with id 400. As such, permissions will not be preserved.

I will have to investigate this more and look into our implementation or try it out.

Seb

View More Comments
Rex Core
Rex Core February 6, 2013

Thanks, Seb and Daniel,

That was our exact concern, so I appreciate the information. We may do a live prototype with the 10 user license, in which case it wouldn't be as painful if we had to export/modify/import user/group and permission information, or even recreate it all by hand.

I sure appreciate your answers.

Rex

Like
Rex Core
Rex Core February 10, 2013

Seb,

I think we will use local user/group accounts, then add LDAP for authentication only. We will continue to use Stash to administer user accounts.

Thanks for your help.
Rex

Like
Reply
1 vote
dleng
dleng
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 6, 2013

When you mention "LDAP Authenticated Accounts - external Directory", you mean using a Directory Connector, yes?

Permissions are tied to groups, and if those groups are created in the internal directory (locally), then you have to make sure you recreate them either inside your LDAP itself, or set the LDAP permissions to *Read only, with local groups* and then recreate the groups in JIRA.

A simpler way would be to use Internal Directory With Delegated LDAP Authentication, then you will be able to copy your existing groups from the internal directory to the Internal Directory using Delegated Auth.
https://confluence.atlassian.com/display/JIRAKB/Migrate+Local+Group+Memberships+Between+Directories

View More Comments
Rex Core
Rex Core February 6, 2013

Thanks, Daniel,

We will probably use the LDAP Directory Connector and "Read only, with local groups", then I'll have to recreate the groups as you suggested.

I appreciate the quick answer!

Rex

Like
dleng
dleng
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 6, 2013

Hello Rex,

Note that you will also have to manually re-add your users to those groups!

Like
dleng
dleng
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 6, 2013

Hi Rex,

I think I might have worded it abit too plainly. IF you are using "Read only, with local groups", then the groups already previously created in your internal directory can be used, and you must assign your LDAP users to those groups. Here is the paragraph from the documentation:

Read Only, with Local Groups

LDAP users, groups and memberships are retrieved from your directory server and can only be modified via your directory server. You cannot modify LDAP users, groups or memberships via the application administration screens. However, you can add groups to the internal directory and add LDAP users to those groups.

https://confluence.atlassian.com/display/JIRA/Connecting+to+an+LDAP+Directory

Additionally, you can set the option to automatically add users to local groups when they login, such as the all-important jira-users group.

Like
seb
seb
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 6, 2013

Hi Daniel,

Rex is currently asking about connecting Stash with LDAP, so I am not sure if your JIRA documentation links are actually relevant. Have you checked in Stash?

Cheers,

Seb

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events