We've allways being using Jira internal directory (ID) for managing users and groups. ID contains all active users and lots of groups, used in Jira.
Now, we are planing to start using Microsoft active directory (AD) for logging in to Jira (via kerberos). AD allso contains almost the same set of users and another set of groups. We need to use AD groups in Jira.
Some users have the same user name in AD as in ID, and some - not.
All real users are present in AD. All technical user (robots, e.g.) are present only in ID and can not be copied to AD for some reasons.
The plan of switching from ID to AD is:
1) configure AD user directory in Jira. Type - "with local groups", read only.
2) run script which saves association between ID groups and users
3) run script which renames ID users the way their user names correspond AD users
4) switch user directories order - makin AD first, ID second.
5) apply groups, saved on step 2) to AD users (via script again)
6) run script which deletes all users from ID except technical users.
So the questions are:
-is this plan suitable? maybe there is more simple solution?
-should we delete users as mentioned in step 6)? all atlassian documentaion says it is recomended each user being stored only in one directory?
-after the swith to AD, will fisheye propely use jira user directories? Now it is configured to use Jira users directory with type Atlassian Crowd.
Your migration plan looks ok but seems a bit complicated to me. It requires a lot of scripting whereas you could use native features provided by Atlassian for this. I will detail hereafter another scenario which is based on Atlassian Crowd.
But before I do, I need to write a short disclaimer, as I actually work for the vendor of the IWAAC Kerberos SSO plugin which is part of my suggested migration plan.
1. Ok, so let's sum up, you have two types of users: "real" users and technical users. You've got everything you need for real users in AD whereas technical users have to be managed somewhere else as they can't be in AD. Besides some of your "real" users have another name in AD than the one they have in Jira.
According to me, Atlassian Crowd perfecly fits in such a situation. You would actually have two directories in Crowd:
- One internal directory for your technical users
- One external directory (of type LDAP/AD directory connector) for your real users
Besides, Atlassian Crowd handles the fact that your usernames in AD might not be the usernames in Jira with Crowd user aliases.
2. Sounds great but you probably want to ask "How do I migrate my technical users from Jira internal directory to Crowd internal directory?". Well, the good news is that Atlassian provides a native tool for this.
As it will import all your users, not just the technical ones, you have two options here: you can either remove the real users from Crowd's internal directory or set that directory in second position in Crowd (AD being the first).
Hopefully these steps should allow you to perform your migration without (almost*) any scripting.
The drawback of this migration plan is obviously the extra-cost for Atlassian Crowd and the IWAAC plugin (in all scenarios you will need to pay for a third-party Kerberos add-on anyway)
*I've written "almost" because of the Crowd user aliases. If you have a lot of users who have different names in Jira and AD, you might need to write a script to add their user aliases to Crowd. Otherwise, if there are only a few of them, you can do it by hand in Crowd's administration UI.
Hope this helps!
Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot