How to switch over Crowd to a different Delegated Authentication Directory?

Hello Everyone!.

We have the following situation:

We are using Crowd 2.6.5 connected to an Microsoft LDAP Server for Delegated Authentication porpuses. We have more than 10K users. A JIRA 5.1.8 and Confluence 5.1.4, both connected to Crowd for user management. Our company is moving to a new LDAP server where every user is going to have a new username but the same password and some new attributes.

I've been testing 2 options on how to do this change in our system, but in both of them i have to run some update queries in the database in order to preserver every ones permissions and tickets reference in JIRA and Confluence.

Option 1: Upgrade Crowd to version 2.7.0 and also Update our JIRA to version 6.1.x and Confluence to version 5.4.x as these are the versions that support username renaming. After upgrading, then i go to Crowd and modify my current Delegated authentication Directory to input the new LDAP url, Base DN, username and password to connect to that new LDAP server and in the configuration tab i map the new username info and the the attributes for First, last name and email as well. Then i stop crowd and go to the crowd Database to run an update query on the cwd_user table to change the usename and lower_user_name values for the new username that each of our 10k+ user will have in the new LDAP server. Then run another update query in the cwd_membership table to change the child_name and lower_child_name values by the new username of each user.

After doing that, then i start up Crowd, JIRA and Confluence, then log in to JIRA and Confluence using the administrator account of each tool and then run a manual directory syncronization. After the syncronization is done, then i logout, and log in now using my new username and i could keep all my permissions and ticket/issue history. Same thing for Confluence.

Option 2: Not doing an upgrade of the tools. Go to Crowd and modify my current Delegated authentication Directory and input the new LDAP url, Base DN, username and password to connect to that new LDAP server and in the configuration tab i map the new username info and the the attribute for First, last name and email as well. Then i stop crowd and go to the crowd Database and run an Update query on the cwd_user table to change the usename and lower_user_name values for the new username that each of our 10k+ user will have in the new LDAP server. Then run another update query in the cwd_membership table to change the child_name and lower_child_name values by the new username of each user. Repeat this update query in our JIRA database for the same tables (cwd_user and cwd_memberships) and also same update query in Confluence database but only in the cwd_user as the Confluence's cwd_membership table doens't have the child_name and lower_child_name columns.

After doing that then i start up Crowd, JIRA and Confluence, then log in to JIRA and Confluence using the administrator account of each tool and then run a manual directory syncronization. After the syncronization is done, then i logout, and log in now using my new username and i could keep all my permissions but lost all reference to previous issues or tickets, so this Option is not worthly.

I'm wondering if there is a way to do this change without having to run updates queries on the database. Can this be a new feature in future version of Crowd?

Does anyone has other idea on how to address this situation?

Thanks in advanced for your responses.

Regards,

Francis.

2 answers

1 accepted

Thanks Andrew for you response, but i don't think the Directory importe will work for me, because the issue is that every user in my user database will need to have a new username, because in the new LDAP server, every user will now have a new username for example: "s999999", instead of "fvittini".

If i create a new directory connected to this new LDAP server and then import this new directory to my old one, the result will be new users added to my old directory as Crowd won't have a way to merge the users that already exists in my old directory with the corresponding record of those users in the new directory.

So far as i've investigated, the Option 1 that i mentioned in my Question above is the only way to get the results i need. That is to connect my Crowd app to that new LDAP server and keep all users history of their previous username mapped to their new username.

Regards,

Francis.

Hi Francis,

You can use the Directory importer to migrate users from one directory to another.

You'll find this in the User menu then under import users.

Good luck!

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Feb 27, 2018 in Crowd

The Crowd team is looking for feedback on Server & Data Center customers' identity strategies!

Do you own more than one Server or Data Center product? Do you have challenges provisioning users across your Atlassian products? Are you spending a lot of time integrating each Atlassian product wit...

1,203 views 6 14
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you