Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Delegated Crowd directory without LDAP Group

Ansar Rezaei
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 2, 2016

Hi

1- I'm new to crowd. We have lots of group in LDAP directory that uses for OS security group and I don't want to use them in Atlassian applications. I create a LDAP connector that bring every users and groups from Microsoft LDAP and I create a Delegated Directory in order to import users from LDAP to  I need to have a Delegated LDAP Directory in crowd without that groups. Is it possible to change the configuration of Crowd Directory to achieve this?
2- If I have new users in LDAP directory, How I can sync them with Delegated directory?

 

Thanks For your answers.

1 answer

1 accepted

1 vote
Answer accepted
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 4, 2016

Hi Ansar,

If your main concern is not to import the AD groups in Crowd, you actually have two options.

1st option: Create a (single) LDAP connector directory and edit the group object filter in the configuration tab so as to fetch only Atlassian applications groups

2nd option: Create a (single) Delegated authentication directory and then manage your Atlassian applications groups locally in this Crowd directory. You do not need manual synchronisation for new AD users. As detailed in the documentation:

If a user logs in successfully via LDAP authentication but does not yet exist in Crowd, Crowd will automatically add them to the Delegated Authentication directory

 

Ansar Rezaei
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 5, 2016

Hi Bruno
Thanks for your comment.

I don't familiar with crowd and Active Directories and I do this job according to my role in organization as JIRA Administrator. Which value should I provide in group object filter in order?

 

For your 2nd option I follow that instruction but It brings all of groups in Active Directory.
Please provide more detailed answers, as I say I'm new to crowd.

Thank you very much

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 6, 2016

Hi Ansar,

1st option: you have to enter an LDAP filter as detailed on this page: https://confluence.atlassian.com/display/CROWD/Restricting+LDAP+Scope+for+User+and+Group+Search

For instance, if you enter the following value, you will only get the AD groups whose name starts with jira:

(&(objectCategory=Group)(cn=jira*))

 

2nd option: That's because you created an LDAP connector directory in addition to the Delegated Authentication directory. You just need one single directory (the Delegated Authentication one). If you do not want anything related to AD groups in this directory, please also disable Synchronise group memberships in the connector tab.

Ansar Rezaei
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 6, 2016

Hi Bruno
Thanks for your help

I try first option and it work for me.

But I didn't understand 2nd Option, I have a Microsoft Active Directory in our organization, If I define a delegated connector, how I can import Active Directory users without defining and LDAP Connector in Crowd?

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 7, 2016

Hi Ansar,

That's what I was explaining in my first post. You do not need to import users manually as they will be automatically added by Crowd upon successful authentication:

If a user logs in successfully via LDAP authentication but does not yet exist in Crowd, Crowd will automatically add them to the Delegated Authentication directory

Ansar Rezaei
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 7, 2016

Hi

I do that, but I didn't see any user in Delegated directory even it's connector setup correctly. If I didn't see the users, I can't manage groups and permissions in JIRA and Confluence.
I repeat that I'm so sorry, If I'm not clear with your comment, as I said I didn't use crowd before. If you can please explain more about group and users while using delegated directory, any way I accept your answer and Thanks for your help.

Ansar Rezaei
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 7, 2016

So I now understand. I authenticate my user in an application connector (see screenshot) and after that I see my user in new Delegated LDAP directory.

Last ambiguity is this sentence,"If a user logs in successfully via LDAP authentication", where the user should authenticate in order to show in Delegated directory list, I try my user with Windows log on authentication but I didn't see my user in crowd after that, but "Authentication Test" in application part of Crowd work for me according to attached screenshot

crowd.JPG

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 7, 2016

Hi Ansar,

That's right, you have to authenticate on your application, for instance Jira.

You might also want to be aware of a bug that has not been fixed yet by Atlassian in JIRA https://jira.atlassian.com/browse/JRA-39085 and Confluence https://jira.atlassian.com/browse/CONF-23957 at the time of writing. For newly created users, you will actually need to login as an administrator in JIRA and Confluence and manually synchronise the local user database with the Crowd server. As far as I know you should not face the same issue in other Atlassian products.

Tom Lister
Contributor
January 11, 2017

Hi

i set Read Only with local groups but i still get groups imported.

I have hacked this by breaking the group search e.g. Group Object Filter = (objectCategory=xXxGroup)

horrible i know

What I would ideally like to do is to stop the LDAP search using LDAP groups lookups completely.

Tom Lister
Contributor
January 17, 2017

I have turned off the user membership attributes for our microsoft active directory and it does not appear to be performing all the group checks now

image2017-1-18 10:50:10.png

 

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events