• Community
  • Products
  • Jira
  • Questions
  • Crowd delegated directory - is available to use usernames from AD in Jira Internal directory without creation in Crowd?

Crowd delegated directory - is available to use usernames from AD in Jira Internal directory without creation in Crowd?

We have Jira 5.1.x, connected to the Crowd (first & top directory) and having Internal directory too.

Crowd has configured Delegated directory, connected to the AD. AD has big number of users, but Delegetad Directory itself has a limited number of users, identical with the AD.

Is it possible to use in Internal directory username, present in the AD but doesn't present in Delegated directory ?

For the moment users can't login to the Jira before identical account will created in the Crowd delegated directory. Moreover, Jira connected to the Crowd by read-only connection, but Crowd create empty accounts when user try to login to the Jira.

2 answers

Hi, if you use a full LDAP directory and not Delegated Authentication Directory, you should auto sync from LDAP into Crowd without any changes.

You can also do this in JIRA itself since it has an "embedded Crowd" module to sync from AD. Atlassian doesn't recommend more than 500 users this way though.

Using of full LDAP is not usable for us due to the security restrictions (Crowd can't change anything in LDAP) and total difference in groups. Jira (and Crowd) has some hundreds groups, but LDAP doesn't have it (but have it's own set of groups).

This is why we used Delegated Directory.

We doing big migration for users from Internal Directory to the Crowd. But, we can't do this at once. The idea was - creating one by one users in Crowd and switch Crowd directory on top in Jira. Users, who doesn't present in Crowd for the moment, should login using Internal credentials. But, in this configuration users who have identical username in Jira Internal & in AD can't login to the Jira.

Seems, Crowd check users in AD even if users doesn't present in Delegated Directory !
So, my question is - any workaround for this situation or we need to migrate all identical users at once anyway ?

Hi Andrey,

Crowd has an option to disable the "Add Users" permission in the directory configuration withing the Application section. If you unmark this option, the users from LDAP shouldn't be created upon login into the client application.

However there is a know bug in this functionality, please vote on it and add yourself as watcher for further updates.

Cheers

Hi Tiago.

Bug on user creation is bad, but I don't really understand what really happens.

I fix situation with user creation by recipe, which found here:

https://answers.atlassian.com/questions/2108/how-do-i-stop-a-delegated-directory-from-automatically-adding-ldap-users
& in documentation:
https://confluence.atlassian.com/display/CROWD/Specifying+which+Groups+can+access+an+Application

  1. Next to your delegated LDAP directory, change the "Allow All to Authenticate" to "False"
  2. Then select the Groups tab, add in your jira-users, confluence-users (or whatever) from the delegated LDAP directory (and it has to be this directory, not a same named group in another directory)


Seems, in this configuration new user wasn't create.
But, users with identical username in Internal directory & in AD still can't login.
This users doesn't presented in Delegated directory !
Here is the main trouble for us.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,723 views 17 21
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you