Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Configuring Active directory

Dmitry Kuzmin
Dmitry Kuzmin June 23, 2017

Hi.
We've allways being using Jira internal directory (ID) for managing users and groups. ID contains all active users and lots of groups, used in Jira.
Now, we are planing to start using Microsoft active directory (AD) for logging in to Jira (via kerberos). AD allso contains almost the same set of users and another set of groups. We need to use AD groups in Jira.
Some users have the same user name in AD as in ID, and some - not.
All real users are present in AD. All technical user (robots, e.g.) are present only in ID and can not be copied to AD for some reasons.
The plan of switching from ID to AD is:
1) configure AD user directory in Jira. Type - "with local groups", read only.
2) run script which saves association between ID groups and users
3) run script which renames ID users the way their user names correspond AD users
4) switch user directories order - makin AD first, ID second.
5) apply groups, saved on step 2) to AD users (via script again)
6) run script which deletes all users from ID except technical users.
So the questions are:
-is this plan suitable? maybe there is more simple solution?
-should we delete users as mentioned in step 6)? all atlassian documentaion says it is recomended each user being stored only in one directory?
-after the swith to AD, will fisheye propely use jira user directories? Now it is configured to use Jira users directory with type Atlassian Crowd.
Thank you.

Answer
Watch
Like Be the first to like this
261 views

1 answer

0 votes
Bruno Vincent
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 25, 2017

Hello Dmitry,

Your migration plan looks ok but seems a bit complicated to me. It requires a lot of scripting whereas you could use native features provided by Atlassian for this. I will detail hereafter another scenario which is based on Atlassian Crowd.

But before I do, I need to write a short disclaimer, as I actually work for the vendor of the IWAAC Kerberos SSO plugin which is part of my suggested migration plan.

1. Ok, so let's sum up, you have two types of users: "real" users and technical users. You've got everything you need for real users in AD whereas technical users have to be managed somewhere else as they can't be in AD. Besides some of your "real" users have another name in AD than the one they have in Jira.

According to me, Atlassian Crowd perfecly fits in such a situation. You would actually have two directories in Crowd:
- One internal directory for your technical users
- One external directory (of type LDAP/AD directory connector) for your real users

Besides, Atlassian Crowd handles the fact that your usernames in AD might not be the usernames in Jira with Crowd user aliases.

2. Sounds great but you probably want to ask "How do I migrate my technical users from Jira internal directory to Crowd internal directory?". Well, the good news is that Atlassian provides a native tool for this.

As it will import all your users, not just the technical ones, you have two options here: you can either remove the real users from Crowd's internal directory or set that directory in second position in Crowd (AD being the first).

3. Now, all you need to do is connect Jira to your Crowd server and FishEye to your Crowd server as well (in both cases set the Crowd directory in first position) .

4. What about SSO? Well, just enable Crowd SSO for Jira and FishEye and add the IWAAC Kerberos SSO plugin to your Jira and FishEye instances.

Hopefully these steps should allow you to perform your migration without (almost*) any scripting.

The drawback of this migration plan is obviously the extra-cost for Atlassian Crowd and the IWAAC plugin (in all scenarios you will need to pay for a third-party Kerberos add-on anyway)

*I've written "almost" because of the Crowd user aliases. If you have a lot of users who have different names in Jira and AD, you might need to write a script to add their user aliases to Crowd. Otherwise, if there are only a few of them, you can do it by hand in Crowd's administration UI.

Hope this helps!

Bruno

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events