Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is it possible to transfer LDAP users to the local directory?

Jakob Nielsen
Jakob Nielsen December 12, 2018

Hi,

We are about to transition to Azure AD SAML authentication in Jira Software.

We are looking for a way for the users to be able to use their new credentials, but keep the assignments to tasks they had with their old logins. 

Currently we have an LDAPS connection to a local AD through a user directory in Jira. In the future, if we use SAML, the user would be created in the internal directory.

Is it possible to extract the information from the LDAP user directory and import it to the local directory? I know this is disabled in the application (as described here), but can it be done with SQL, or with an intermediary step?

We plan on using the Saml SSO plugin from resolution, which can update non-SAML-created users as well. 

Important to notice here, is that the credentials from Azure are different, so we would have to manually change them (new email etc.) during the process. 

Thanks in advance!

Answer
Watch
Like Be the first to like this
409 views

1 answer

1 vote
Christian Reichert (resolution)
Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 12, 2018

Hi Jakob,

thanks for using or planning to use our SAML Single Sign On Plugin.

Our Plugin has a functionality called User Sync, via which you can synchronise the Users (similar to LDAP) via the native Graph API from Azure AD.

The typcial outline Way to approach this migration is:

1. Configure UserSync, this creates a new directory in Jira and synchronises the Users from Azure AD into it. Make sure the Usernames here match the one's in the LDAP directory (this can usually be achieved by selecting the right attribute to sync or some regex transformation).

2. Check that the Sync wend fine & the information is correct.

3. Move the Directory Order in Jira, so that the Azure AD Directory comes first.

4. Disable the LDAP Directory

This Way the Users will retain all history & assignments.

 

If you like open a support case with us (https://resolution.de/go/support) or schedule a Screenshare session with us (https://resolution.de/go/calendly) and then we can help you translate the above general steps to your concrete environment.


Cheers,
Christian

View More Comments
Jakob Nielsen
Jakob Nielsen December 13, 2018

Hi Christian,

Thank you for your reply - You make it sound easier than I had feared, so that is comforting. I tried creating a case on your site yesterday, but my case has since disappeared somehow. 

The users will be getting new emails (and usernames), so how does the plugin know the mapping between the old and new accounts? The old accounts use samaccountname for logins, but these are also different in Azure. The only attribute in Azure, we can use to link the new and old accounts is the legacyemail (user.extensionAttribute1) - Can I utilize that somehow to create a mapping to the new accounts?

Will this configuration affect new accounts as well? because their "legacyemail" value will become blank at some point. 

Like
Christian Reichert (resolution)
Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 13, 2018

Hi Jakob,

I just had a look - Jira Servicedesk had your account disabled. Strange. I re-enabled it and you should have access to your support case again.

I need to check that - I can't see the user.extensionAttribute1 in the attributes that we see from the connector at the moment. Something I need to check with the developer.

Cheers,
Christian

Like
Christian Reichert (resolution)
Christian Reichert (resolution)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 13, 2018

Hi Jakob,

just do add to that - this "link" doesn't need to be permanent; once we have synchronized the Users once with the matching UserID, we can change the mapped attribute which will than change & an rename all Users to the new one. That in the future then only synchronizes the new one.


Cheers,
Christian

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events