Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,461,296
Community Members
 
Community Events
176
Community Groups

Setting up a reverse proxy between crowd and ldap server -- is this possible?

Hi,

This is a weird use case. Our JIRA environment is technically in our production environment, since we have a lot of automation that ties JIRA to various production monitoring and tools. Currently we have our Crowd instance in a DMZ zone, so that it can enable our environment to authenticate with our corporate Active Directory (non-prod environment) via ldap servers that are also in a non-prod environment. This works most of the time – except that the DMZ zone is in a data center that is less than stable, and we have taken outages because the crowd server goes offline occasionally. 

We do have a fail-over crowd instance in our production environment as well – but since it can't directly communicate with our non-prod ldap servers, we end-up having to use locally-based authentication when we have an outage for our ldap users – not ideal. However, this environment works fine for our external customers, who are already locally authenticated in crowd. 

Our production environment, despite network limitations re: connectivity to the non-prod ldap servers, is much more stable than the DMZ zone we currently use for crowd. We'd like to make the production instance of our crowd our primary instance, and find some means of having crowd talk to the non-prod ldap servers, without the need of the DMZ zone. Our Security team has already nixed the idea of some sort of direct connection between prod and non-prod. (understandable).  

We do have several reverse-proxy apache servers in our production environment however – is it possible to set up a reverse proxy between crowd and an ldap server? Our Security team says if we could do something like that, it would satisfy their concerns about a production instance of crowd talking with a non-prod ldap server. 

Anyone run into something like this before?

 Oh, and if you are curious, we are already using SSL certs between crowd and our ldaps. 

Hope that made sense. 

1 answer

0 votes
rrudnicki Atlassian Team Feb 18, 2015

Hi Bryan, 

 

I’m wondering if the non-production Active directory is a staging environment. If so, it might be a problem for two reasons.

1 - Since it isn’t a production environment, it might not be synchronised all the time

2 - If it is a staging environment, tests on it might cause outages which will affect Crowd.

 

I agree with you that make your production instance of Crowd the primary instance is a good idea, but I also agree with your security team that has a direct connection between your non-prod and production environment might not be a good idea. 

 

But, answering your question, "We do have several reverse-proxy apache servers in our production environment however – is it possible to set up a reverse proxy between crowd and an ldap server?” Yes, but it may be very complex since I believe you will need to work with some re-write rules and also reverse proxy should be in the edge of your network, not in the middle of your network. 

 

P.S.: Keep in mind that Atlassian doesn’t cover reverse proxy configuration.

P.S 2.: Maybe this link may be useful: https://answers.atlassian.com/questions/227994

 

Regards, 

Renato Rudnicki

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events