How to switch over Crowd to a different Delegated Authentication Directory?

Francis Vittini January 26, 2014

Hello Everyone!.

We have the following situation:

We are using Crowd 2.6.5 connected to an Microsoft LDAP Server for Delegated Authentication porpuses. We have more than 10K users. A JIRA 5.1.8 and Confluence 5.1.4, both connected to Crowd for user management. Our company is moving to a new LDAP server where every user is going to have a new username but the same password and some new attributes.

I've been testing 2 options on how to do this change in our system, but in both of them i have to run some update queries in the database in order to preserver every ones permissions and tickets reference in JIRA and Confluence.

Option 1: Upgrade Crowd to version 2.7.0 and also Update our JIRA to version 6.1.x and Confluence to version 5.4.x as these are the versions that support username renaming. After upgrading, then i go to Crowd and modify my current Delegated authentication Directory to input the new LDAP url, Base DN, username and password to connect to that new LDAP server and in the configuration tab i map the new username info and the the attributes for First, last name and email as well. Then i stop crowd and go to the crowd Database to run an update query on the cwd_user table to change the usename and lower_user_name values for the new username that each of our 10k+ user will have in the new LDAP server. Then run another update query in the cwd_membership table to change the child_name and lower_child_name values by the new username of each user.

After doing that, then i start up Crowd, JIRA and Confluence, then log in to JIRA and Confluence using the administrator account of each tool and then run a manual directory syncronization. After the syncronization is done, then i logout, and log in now using my new username and i could keep all my permissions and ticket/issue history. Same thing for Confluence.

Option 2: Not doing an upgrade of the tools. Go to Crowd and modify my current Delegated authentication Directory and input the new LDAP url, Base DN, username and password to connect to that new LDAP server and in the configuration tab i map the new username info and the the attribute for First, last name and email as well. Then i stop crowd and go to the crowd Database and run an Update query on the cwd_user table to change the usename and lower_user_name values for the new username that each of our 10k+ user will have in the new LDAP server. Then run another update query in the cwd_membership table to change the child_name and lower_child_name values by the new username of each user. Repeat this update query in our JIRA database for the same tables (cwd_user and cwd_memberships) and also same update query in Confluence database but only in the cwd_user as the Confluence's cwd_membership table doens't have the child_name and lower_child_name columns.

After doing that then i start up Crowd, JIRA and Confluence, then log in to JIRA and Confluence using the administrator account of each tool and then run a manual directory syncronization. After the syncronization is done, then i logout, and log in now using my new username and i could keep all my permissions but lost all reference to previous issues or tickets, so this Option is not worthly.

I'm wondering if there is a way to do this change without having to run updates queries on the database. Can this be a new feature in future version of Crowd?

Does anyone has other idea on how to address this situation?

Thanks in advanced for your responses.

Regards,

Francis.

2 answers

1 accepted

0 votes
Answer accepted
Francis Vittini February 5, 2014

Thanks Andrew for you response, but i don't think the Directory importe will work for me, because the issue is that every user in my user database will need to have a new username, because in the new LDAP server, every user will now have a new username for example: "s999999", instead of "fvittini".

If i create a new directory connected to this new LDAP server and then import this new directory to my old one, the result will be new users added to my old directory as Crowd won't have a way to merge the users that already exists in my old directory with the corresponding record of those users in the new directory.

So far as i've investigated, the Option 1 that i mentioned in my Question above is the only way to get the results i need. That is to connect my Crowd app to that new LDAP server and keep all users history of their previous username mapped to their new username.

Regards,

Francis.

Alan Davies June 9, 2020

Hi Francis,

With your option 1 does a user's history then show their new username throughout i.e.

2015: userA

2020: userA -> newUserA

If I looked at a ticket from 2015 originally created by 'userA' it would now show it as being created by 'newUserA'?

Regards,

Alan

0 votes
Andrew_Sheedy January 30, 2014

Hi Francis,

You can use the Directory importer to migrate users from one directory to another.

You'll find this in the User menu then under import users.

Good luck!

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events