Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How can I auto-assign the users from a specified directory (LDAP) to a certain jira group?

Sorin Sbarnea (
Sorin Sbarnea (Citrix)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 11, 2012

I have an instance that uses two authentication sources:

  • local accounts - people can register and create accounts by themselves
  • LDAP directory - people from inside the company can login with their corporate login

The problem is that I need to assing a special group, like jira-internal to the ones from the directory because they have more permissions than people from the internet.

Note: jira-users default group us useless because it is required for login and auto-assgined to all new accounts.

How can I achieve this?

Answer
Watch
Like Be the first to like this
456 views

1 answer

1 vote
Aspect Infra Te
Aspect Infra Team
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 11, 2012

you can have more than one group with login to jira permissions
Administration -> Users -> Global permissions -> JIRA Users

so your internal users can didn't have jira-users group at all and have jira-own-staff like example as equivalent that allow them to log in

View More Comments
Sorin Sbarnea (
Sorin Sbarnea (Citrix)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 11, 2012

Probably I wasn't clear enough, both LDAP first login and registration are creating new jira accounts (the ones registered are local and the one with LDAP are directory accounts, not managed by jira).

THe problme is that, so far, I did not find a way to assign different groups to these two categories of users, in order to be able to give them different permissions.

It is mandatory for this to be automatic, as we do not have the time to manually edit each new auto-created account.

Probably what I need is a default group for each directory, which I wasn't able to find in the options.

Like
Aspect Infra Te
Aspect Infra Team
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 11, 2012

"creating account" for LDAP users is not a clear creation - since they already have LDAP account used for their auth ( so as i understand name/surname also takes from ldap )
so you can add a group that defines wider permission for internal users into ldap

Like
Sorin Sbarnea (
Sorin Sbarnea (Citrix)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 11, 2012

You assume that I do have control over the corporate directory, which in 99% of the cases is not true (including me).

As in most coporate environments the LDAP schema is almost impossible to touch and even if it would be theoretically possilbe to touch it, the birocracy would make the taks practically impossible (you'll get it implemented when the need for the change is no longer there).

For this reason, most people are using LDAP only to authenticate active accounts: login, email and password verification.

Like
Aspect Infra Te
Aspect Infra Team
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 11, 2012

ok then maybe some group in LDAP already exist that you can use?
can you at least have directory structure from your corporate dept that rules ldap - so you can find some useful group(s)

or maybe CROWD can be a way http://www.atlassian.com/software/crowd/overview

we used it some time before ( then JIRA itself was unable to auth from ldap ) and as i remember there was an option for auto-add groups to user on creation of account, but i'm not sure can be different for different users. but if it will installed as a part of *jira suite* it can be under your control ;)

Like
Aspect Infra Te
Aspect Infra Team
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 11, 2012

you can always narrow group search from jira ldap connector

so i think you can try on test jira site ( i hope you have it )

if you still think it's impossible in your situation - than sorry i'm have no more ideas :(

Like
Sorin Sbarnea (
Sorin Sbarnea (Citrix)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 11, 2012

Groups sync form LDAP on big directories is not working for seceral reasons:

  • different groups with the same name
  • it would put jira on its knees due to the group number (also sync would be very slow)
  • it does pollute jira groups with tons (>1000) of groups from the directory.
Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events