Setting up a reverse proxy between crowd and ldap server -- is this possible?

Hi,

This is a weird use case. Our JIRA environment is technically in our production environment, since we have a lot of automation that ties JIRA to various production monitoring and tools. Currently we have our Crowd instance in a DMZ zone, so that it can enable our environment to authenticate with our corporate Active Directory (non-prod environment) via ldap servers that are also in a non-prod environment. This works most of the time – except that the DMZ zone is in a data center that is less than stable, and we have taken outages because the crowd server goes offline occasionally. 

We do have a fail-over crowd instance in our production environment as well – but since it can't directly communicate with our non-prod ldap servers, we end-up having to use locally-based authentication when we have an outage for our ldap users – not ideal. However, this environment works fine for our external customers, who are already locally authenticated in crowd. 

Our production environment, despite network limitations re: connectivity to the non-prod ldap servers, is much more stable than the DMZ zone we currently use for crowd. We'd like to make the production instance of our crowd our primary instance, and find some means of having crowd talk to the non-prod ldap servers, without the need of the DMZ zone. Our Security team has already nixed the idea of some sort of direct connection between prod and non-prod. (understandable).  

We do have several reverse-proxy apache servers in our production environment however – is it possible to set up a reverse proxy between crowd and an ldap server? Our Security team says if we could do something like that, it would satisfy their concerns about a production instance of crowd talking with a non-prod ldap server. 

Anyone run into something like this before?

 Oh, and if you are curious, we are already using SSL certs between crowd and our ldaps. 

Hope that made sense. 

1 answer

0 votes

Hi Bryan, 

 

I’m wondering if the non-production Active directory is a staging environment. If so, it might be a problem for two reasons.

1 - Since it isn’t a production environment, it might not be synchronised all the time

2 - If it is a staging environment, tests on it might cause outages which will affect Crowd.

 

I agree with you that make your production instance of Crowd the primary instance is a good idea, but I also agree with your security team that has a direct connection between your non-prod and production environment might not be a good idea. 

 

But, answering your question, "We do have several reverse-proxy apache servers in our production environment however – is it possible to set up a reverse proxy between crowd and an ldap server?” Yes, but it may be very complex since I believe you will need to work with some re-write rules and also reverse proxy should be in the edge of your network, not in the middle of your network. 

 

P.S.: Keep in mind that Atlassian doesn’t cover reverse proxy configuration.

P.S 2.: Maybe this link may be useful: https://answers.atlassian.com/questions/227994

 

Regards, 

Renato Rudnicki

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Feb 27, 2018 in Crowd

The Crowd team is looking for feedback on Server & Data Center customers' identity strategies!

Do you own more than one Server or Data Center product? Do you have challenges provisioning users across your Atlassian products? Are you spending a lot of time integrating each Atlassian product wit...

1,572 views 6 14
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you