Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

CROWD with Active Directory

Tech.Kid1961@ve
Tech.Kid1961@verizon.net October 28, 2016

Hello

I have a JIRA CROWD installation with CROWD:  JIRA, confluence, bitbucket, bamboo, fisheye, crucible, on Server 2008 R2.  Users log onto ActiveDirectory then web interface to JIRA and use another name and password to authenticate to confluence, bitbucket, bamboo, fisheye, crucible.

How do I setup Crowd with ActiveDirectory to have the ActiveDirectory user name and password use the CROWD applications?

Is there a way that this will log , confluence, bitbucket, bamboo, fisheye, crucible in the Server 2008 R2 Event Logs?

I don't need SSL

Thanks

T

 

 

Answer
Watch
Like Be the first to like this
9452 views

4 answers

0 votes
Tech.Kid1961@ve
Tech.Kid1961@verizon.net October 30, 2016

Hello, I am headed into work to try this,

 

Re-reading your responses, I am looking for staff to login into ActiveDirectory (obviously authenticating with a user name and password), then accessing Confluence, Bitbucket, Bamboo, JIRA with their Windows Authentication, and not having to renter a second JIRA / Atlassian user name and password.

 

Adding any type of Active Directory LDAP connection will not so this alone, I need to:

 

1.         Create the groups in AD and Add Users

"bitbucket-users"

"bitbucket-administrators"

“bamboo-users”

“bamboo-administrators”

“confluence-users”

“confluence-administrators”

 

Enabling SSO at the Atlassian JIRA Server

 

2.      And get the IWAAC Kerberos SSO add-on

 

3.        Then  Crowd -> Active Directory and IWAAC -> Active Directory

 

Thank you sir

T

 

 

View More Comments
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 30, 2016

You're welcome!

More precisely I would say

  1. Create the AD groups you need for your Atlassian applications (and obviously add the required users)
  2. Install Crowd (if not already done). In Crowd, add a Directory using LDAP Directory Connector and make it point to your Active Directory. Still in Crowd, add all your Atlassian applications. For each application, select the Directory you just created and map the required AD user groups (e.g. not all users can access to Bamboo, only users belonging to "bamboo-users" etc.)
  3. Now leave Crowd's console and configure each application to use Crowd for user management. Also enable Crowd SSO in the application's configuration file.

    Now, you should have Web SSO between your Atlassian applications. That means that users have to enter their username and password on the login form of the first application they access to. Then, they can browse to any other Atlassian application without entering a username and password again. Make sure that everything works as expected before going on.

  4. Now, you can actually install the IWAAC plugin on each of your applications to get Integrated Windows Authentication (which means that users won't have to enter any username and password for Atlassian applications once they open a Windows session).

For steps 1 to 3, I suggest that you follow Atlassian's instructions for Crowd integration.

For step 4, please follow the instructions at https://www.cleito.com/products/iwaac/documentation/

We (at Cleito) will also be happy to assist you if you need help. Please contact us at support@cleito.com

 

Like
Reneesh Kottakkalathil
Reneesh Kottakkalathil
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 19, 2018

Thank you Bruno. Just checking has anything changed with above steps with recent versions of crowd?

Like
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 26, 2018

Hi @Reneesh Kottakkalathil

No, as of today nothing has changed 😊

Like
Reneesh Kottakkalathil
Reneesh Kottakkalathil
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 22, 2019

Hi @Bruno Vincent

 

How can we create a filter so we don't sync all active directory into crowd and just sync the groups for example "bitbucket-users" and "bitbucket-administrators"?

Like
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 22, 2019

Hi @Reneesh Kottakkalathil

My understanding is that you only want to see the "bitbucket-users" and "bibucket-administrators" groups in the Groups tab of your Active Directory connector in Crowd.

You just need to set the following filter in the Group object filter field of the Configuration tab:

(&(objectCategory=Group)(|(cn=bitbucket-users)(cn=bitbucket-administrators)))
Like
Reneesh Kottakkalathil
Reneesh Kottakkalathil
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 22, 2019

Excellent! That worked. I've to click on synchronise on Crowd and Bitbucket directories to take immediate effect.

I guess creating such filters with only the required groups is a good practice. Please let me know your thoughts on this.

Like
Reply
0 votes
Tech.Kid1961@ve
Tech.Kid1961@verizon.net October 29, 2016

One last question, if I may.

Can you assign rights with this?  I you wanted some user to have Read only with bamboo, and one user to have Write with Bitbucket can you do that?

I guess what I am asking is how do you setup SSO rights in AD (I assume with GPO) and have those rights in Atlassian?

 

Thanks

T,

 

View More Comments
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 29, 2016

Yes, you can assign rights but it does not work the way you think.

Let's suppose you have Active Directory groups such as "bamboo-users", "bamboo-administrators", "bitbucket-users" and "bitbucket-administrators". You can configure Crowd so that only users who belong to the "bamboo-users" group will be able to log onto Bamboo, even if they previously got a Crowd SSO cookie when authenticating on Bitbucket.

You set up fine-grained rights such as the ones you mentioned in the applications themselves (e.g: read rights for "bamboo-users", read/write rights for "bamboo-administrators").

Like
Reply
0 votes
Tech.Kid1961@ve
Tech.Kid1961@verizon.net October 29, 2016

Thank you very much, the team was looking to have SSO and this looks like it is it,

Thank you again,

Sincerely,

T

 

Reply
0 votes
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 28, 2016

Hi,

If you want Web SSO between your Atlassian applications (which means users log onto the Web interface of - let's say - JIRA and then are not asked to authenticate again on Confluence, Bitbucket etc.), you will need these applications to connect to a standalone Crowd server for user management (when reading your question, I thought you might be talking about Crowd embedded in Jira, which does not provide Web SSO).

Once done, if you still don't get Web SSO, that's probably because you forgot to enable SSO in the corresponding configuration file (seraph-config.xml for most applications). Please take a look at the following pages:

In addition, if you want "full" Windows desktop SSO (which means that your users log onto Windows and then can use Atlassian applications without being asked any username and password), you will need to get the following add-on: IWAAC Kerberos SSO

(Disclaimer: I work for the plugin's vendor)

You can see IWAAC in action in the following video:

https://youtube.com/watch?v=MPmx9ATD1wg

Finally, to answer your last question, you can obviously follow LDAP (Crowd -> Active Directory) and Kerberos (IWAAC -> Active Directory) events in the Event Logs of your AD domain controller.

Bruno

 

Reply

Suggest an answer

Log in or Sign up to answer
Crowd
Crowd
TAGS
AUG Leaders

Atlassian Community Events

    See all events