I have installed Jira 8.13 on a new server. I updated the database from our old server so all internal users are there. We did not have ldap in the old server but have configured it on the new one. I've seen lots of documentation on how to make the existing internal users ldap but not sure which route to take.
If I change the order under User Directories to make Active Directory Server the first, then I'm assuming when an existing internal user connects it will take their ldap logon and not prompt them for credentials. When this happens do all their connections to Projects/Issues etc. come over to that ldap acct?
Please take a look at our UserManagement for Jira – this will allow you to move users around between internal and delegated LDAP directories in bulk.
I usually recommend migrating users to a delegated LDAP directory first, testing everything out, then (if desired) creating a full-sync one (which often comes with a filter based on the LDAP/AD groups e.g. "only members of JIRA_Users") and by placing it above the delegated one – overriding the users in the delegated one. You can then find what users are in the delegated one and not in the sync'ed one (i.e. were already in Jira, but didn't come through the LDAP filter) and decide what to do with them – keep them in a delegated one or fix the group membership on the LDAP side.
The ideal configuration (this is an opinion!) is to have the internal director on top, but only containing the "local" users, LDAP synced one below, and LDAP delegated one below that (for all "leftovers").
Further, if you have a lot of historic users who are by now inactive (as in "do not login anymore") – you can move them to yet another delegated directory, and deactivate them.
All of this can be done on evaluation license free of charge.
Oh, and we are a Single Sign-On vendor too – we can make your "not prompted for credentials" a reality with our EasySSO for Jira, with NTLM or Kerberos authentication against Windows domain.
that sounds not too bad!
As for the question of the order:
it really depends if a user is present with same usernames in both directories (internal and LDAP/AD as you mentioned). If so, the upper one takes precedence.
As per documentation:
When a user attempts to log in, the application will search the directories in the order specified, and will use the credentials (password) of the first occurrence of the user to validate the login attempt.
This does not necessarily mean there is no prompt for credentials at all.
There are cases it could be the case but generally this could mean you need to introduce a single-sign-on solution additionally (SSO).
Without it there is still the option to "remember my login" - so not every time the user is seeing Jira he needs to authenticate:
The projects and issues are not tied to the LDAP account in that means - but in case you are using different usernames on LDAP (or Active Directory) than in internal user directory there is no logic connection between those accounts. In other words: for Jira this looks like a separate person (as of: jdoe = internal directory, j.doe = Active Directory/LDAP - will not be the same).
Catch up with Atlassian Product Managers in our 2020 Demo Den round-up! From Advanced Roadmaps to Code in Jira to Next-Gen Workflows, check out the videos below to help up-level your work in the new ...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event