Hi,
My company maintains an openldap server which stores the information of all the employees. All company internal systems authenticate with it when users login.
My department is responsible for software developing/testing and divided into many teams. I want to add the employees of my department to corresponding team in openldap so that I can manage user permission based on teams in jira/confluence/gerrit/gitlab/svn/jenkins/sonarqube and so on. However, I have no permission to add team or group to company openldap server.
My plan is to :
1. set up a new server inside my department to store the user information. The new server could be a jira server, or a ldap server, or anything else.
2. synchronize the user data necessary from the company openldap server to my department server.
3. create groups in department server.
4. add users to corresponding group in department server.
5. confluence/gerrit/gitlab/svn/jenkins/sonarqube authenticate with department server instead of the company one.
I know Jira has such functionality. We can manage the users synchronized from ldap server into different groups in jira server, and then the jira server can authenticate for confluence, but I don't know if Jira can authenticate for other software such as gerrit/gitlab/svn/jenkins/soarqube.
If not, is there other alternative solution? Any help is appreciated.
BRs,
Liansheng
Hi Liansheng,
when you mentioned
However, I have no permission to add team or group to company openldap server.
I'd suggest to open a discussion with the appropriate team instead of introducing a new piece of infrastructure. Although I do not know the details on the "why" for obvious reasons this is something which sounds non-technical at first sight and might be discussed further.
For the technical part Nic mentioned some good points - from my point of view a centralized LDAP server is present - it would be worth a lot focusing on it.
For a "department LDAP" you would (surely?!) go through all the considerations like operations, who to call on weekends, including backup, documentation, support and so on.
For that case I also would not recommend trying to authenticate against the single Jira instance.
Cheers,
Daniel
Thanks Daniel, you are right, it is non-technical.
I am talking to the apprppiate team guys now, and get some progress. They might grant me restricted permissions to certain directory on the company server.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Jira has a simple user service built into it, called "embedded crowd". It is a very cut-down type of Crowd, but it can be used by other servers. Those other servers however, need to be written so that they can use an embedded-crowd as their directory server. As far as I am aware, Atlassian Software (Confluence for example) is the only thing that can do it.
What you're proposing will not work without you doing a load of coding for a load of programs that do not know how to talk to Jira for this.
I question why you would want to as well. You already have an ldap server which is more functional and can be used as the directory for lots of services. If you moved to Jira, you'd have to accept a loss of a lot of that functionality, and your user maintenance would have to move from your department services to your Jira administrators
What would be the benefit of moving to Jira instead of LDAP?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you for confirming, Nic.
So the way it to set up a new ldap server in my department, sync user data from company ldap server to it , and then manage user groups in department ldap server.
However, as far as I know, in openldap master-slave replication, we can not add new groups in the slave node , because the slave node can be read but not written, right?
It seems not an issue to discuss in atlassian community, but i will be much appreciated if any more suggestion/information about it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It depends on how you set up the two LDAP servers, I can't tell you much about it, but I understand it's possible to have two nodes that are equals.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.