Delegated Crowd directory without LDAP Group

Hi

1- I'm new to crowd. We have lots of group in LDAP directory that uses for OS security group and I don't want to use them in Atlassian applications. I create a LDAP connector that bring every users and groups from Microsoft LDAP and I create a Delegated Directory in order to import users from LDAP to  I need to have a Delegated LDAP Directory in crowd without that groups. Is it possible to change the configuration of Crowd Directory to achieve this?
2- If I have new users in LDAP directory, How I can sync them with Delegated directory?

 

Thanks For your answers.

1 answer

1 accepted

1 vote
Bruno Vincent Community Champion Aug 04, 2016

Hi Ansar,

If your main concern is not to import the AD groups in Crowd, you actually have two options.

1st option: Create a (single) LDAP connector directory and edit the group object filter in the configuration tab so as to fetch only Atlassian applications groups

2nd option: Create a (single) Delegated authentication directory and then manage your Atlassian applications groups locally in this Crowd directory. You do not need manual synchronisation for new AD users. As detailed in the documentation:

If a user logs in successfully via LDAP authentication but does not yet exist in Crowd, Crowd will automatically add them to the Delegated Authentication directory

 

Hi Bruno
Thanks for your comment.

I don't familiar with crowd and Active Directories and I do this job according to my role in organization as JIRA Administrator. Which value should I provide in group object filter in order?

 

For your 2nd option I follow that instruction but It brings all of groups in Active Directory.
Please provide more detailed answers, as I say I'm new to crowd.

Thank you very much

Bruno Vincent Community Champion Aug 06, 2016

Hi Ansar,

1st option: you have to enter an LDAP filter as detailed on this page: https://confluence.atlassian.com/display/CROWD/Restricting+LDAP+Scope+for+User+and+Group+Search

For instance, if you enter the following value, you will only get the AD groups whose name starts with jira:

(&(objectCategory=Group)(cn=jira*))

 

2nd option: That's because you created an LDAP connector directory in addition to the Delegated Authentication directory. You just need one single directory (the Delegated Authentication one). If you do not want anything related to AD groups in this directory, please also disable Synchronise group memberships in the connector tab.

Hi Bruno
Thanks for your help

I try first option and it work for me.

But I didn't understand 2nd Option, I have a Microsoft Active Directory in our organization, If I define a delegated connector, how I can import Active Directory users without defining and LDAP Connector in Crowd?

Bruno Vincent Community Champion Aug 07, 2016

Hi Ansar,

That's what I was explaining in my first post. You do not need to import users manually as they will be automatically added by Crowd upon successful authentication:

If a user logs in successfully via LDAP authentication but does not yet exist in Crowd, Crowd will automatically add them to the Delegated Authentication directory

Hi

I do that, but I didn't see any user in Delegated directory even it's connector setup correctly. If I didn't see the users, I can't manage groups and permissions in JIRA and Confluence.
I repeat that I'm so sorry, If I'm not clear with your comment, as I said I didn't use crowd before. If you can please explain more about group and users while using delegated directory, any way I accept your answer and Thanks for your help.

So I now understand. I authenticate my user in an application connector (see screenshot) and after that I see my user in new Delegated LDAP directory.

Last ambiguity is this sentence,"If a user logs in successfully via LDAP authentication", where the user should authenticate in order to show in Delegated directory list, I try my user with Windows log on authentication but I didn't see my user in crowd after that, but "Authentication Test" in application part of Crowd work for me according to attached screenshot

crowd.JPG

Bruno Vincent Community Champion Aug 07, 2016

Hi Ansar,

That's right, you have to authenticate on your application, for instance Jira.

You might also want to be aware of a bug that has not been fixed yet by Atlassian in JIRA https://jira.atlassian.com/browse/JRA-39085 and Confluence https://jira.atlassian.com/browse/CONF-23957 at the time of writing. For newly created users, you will actually need to login as an administrator in JIRA and Confluence and manually synchronise the local user database with the Crowd server. As far as I know you should not face the same issue in other Atlassian products.

Hi

i set Read Only with local groups but i still get groups imported.

I have hacked this by breaking the group search e.g. Group Object Filter = (objectCategory=xXxGroup)

horrible i know

What I would ideally like to do is to stop the LDAP search using LDAP groups lookups completely.

I have turned off the user membership attributes for our microsoft active directory and it does not appear to be performing all the group checks now

image2017-1-18 10:50:10.png

 

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Maggie Roney
Published Feb 27, 2018 in Crowd

The Crowd team is looking for feedback on Server & Data Center customers' identity strategies!

Do you own more than one Server or Data Center product? Do you have challenges provisioning users across your Atlassian products? Are you spending a lot of time integrating each Atlassian product wit...

1,012 views 6 13
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you