4.3.3 User Directories problem

Jim Mills September 22, 2011

Current situation:

Using Jira 4.3.3, internal directory for users.

I want to just allow LDAP authentication from our Active Directory and can't get it right! If I add the AD details, I end up with all users being imported rather than just using the AD authentication.

Could anyone shed any light at all?

I did have this working previously, but upgraded to 4.3.3 and can't now remember how I got it to work!

Regards

Jim

4 answers

1 accepted

0 votes
Answer accepted
Jim Mills October 10, 2011

Just to finish this question off:

I ended up setting up the 'Delegated LDAP authentication' and found that if this is enabled and set up correctly, you can 'move' current users across to the ldap login by simply creating the user and selecting the auth type - what made this work for me is the fact that the internal users I had were all named the same as their AD account.

I found that because the usernames were the same, when I created the new user account and selected Delegated LDAP the user count would not increase by one, but the existing user simply changed authentication type.

I did find that the Project Roles were occasionally 'lost' and had to be recreated for the user (not really a big issue), but all issues, etc raised or assigned to users remained with the correct account.

Hope this helps someone, as it caused me a great deal of pain!

Regards

Jim

1 vote
MorganaA September 26, 2011

Hi Jim,

There is no easy way to do it. The only way is using a series of db queries.

If you want to try it, please make sure you do in a test environment first.

And other important note: this script will move ALL users from internal directory to Delegated. So make sure all exist in LDAP before the change, otherwise thet will not be able to login anymore.

Here are the steps:

1) duplicate all groups for LDAP directory:

Make sure you have the LDAP directory in the top of the list.

Add a new user called 'internal' and add this users to all groups.

2) get the ID for Internal and LDAP directories:

select id from cwd_directory;

Supposing Internal = 1 and LDAP = 10000.

3) switch directories foll all users/groups:

update cwd_user set directory_id = 3 where directory_id = 10000;

update cwd_user_attributes set directory_id = 3 where directory_id = 10000;

update cwd_membership set directory_id = 3 where directory_id = 10000;

 

update cwd_user set directory_id = 10000 where directory_id = 1;

update cwd_user_attributes set directory_id = 10000 where directory_id = 1;

update cwd_membership set directory_id = 10000 where directory_id = 1;

 

update cwd_user set directory_id = 1 where directory_id = 3;

update cwd_user_attributes set directory_id = 1 where directory_id = 3;

update cwd_membership set directory_id = 1 where directory_id = 3;

 

update cwd_group set directory_id = 3 where directory_id = 10000;

update cwd_group_attributes set directory_id = 3 where directory_id = 10000;

 

update cwd_group set directory_id = 10000 where directory_id = 1;

update cwd_group_attributes set directory_id = 10000 where directory_id = 1;

 

update cwd_group set directory_id = 1 where directory_id = 3;

update cwd_group_attributes set directory_id = 1 where directory_id = 3;

3) change password of internal user to sphere:

update cwd_user set credential='uQieO/1CGMUIXXftw3ynrsaYLShI+GTcPS4LdUGWbIusFvHPfUzD7CZvms6yMMvA8I7FViHVEqr6Mj4pCLKAFQ==' where user_name='internal';

I hope it helps!

Cheers,

Morgana

0 votes
MorganaA September 22, 2011

Hi Jim,

Do you mean you want your Internal Directory users to be authenticated by your AD?

If that is the case, you will need to use Internal Directory with LDAP Authentication.

But the thing is: when you do this, your existing users will not be copy over to this new directory. So best way to go is set the options 'Copy User on First Login' and 'Default Group Memberships '. This way, first time they log in, they will be created in the right directory.

Oh! Do not forget to also move the Internal Directory with LDAP Authentication to the top of the directories list. JIRA goes top down for authentication and you want it to use LDAP instead of Internal.

here is the link for the documentation http://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal+Directory+with+LDAP+Authentication<br< a=""> />
I hope it helps!

Cheers,
Morgana

Jim Mills September 22, 2011

Many thanks Morgana - this is what I was looking for!

Just one problem - how can I 'move' users from internal directory to Delegated LDAP authentication? I can't see anywhere to simply change the authentication method, and deleting and recreating the users isnt an option as there's a lot of issues which I'd have to reassign before I could delete the internal directory users, then reassign back when the new Delegated LDAP authentication user is created - really not an option with the amount of issues in the system already!

If you have any ideas, I'd be most grateful.

Regards

Jim

0 votes
Jim Mills September 22, 2011

and I forgot to say...

It's 4.3.4, not 4.3.3 (just double checked), and having added and then removed an Active Directory User Directory (so I'm back at having just the Jira internal directory) I now don't have the option to reset a user password!

Help!

Thanks

Jim

Suggest an answer

Log in or Sign up to answer