Jira LDAP integration and user passwords

I would like to set up Jira in a way that would be visible from Internet (and thus accessible to our partners) and at the same time would authenticate them with our Acitve Directory.

LDAP integration seems to be fairly straightforward in Jira, however I couldn't find any details as to what exactly does "synchronization" do. Looks like it basically replicates the user catalog from AD in Jira's database and the question I have to which I couldn't find an answer is: how are user passwords treated?

  • Does Jira replicate them in its database too?
  • Does Jira store them hashed or are they stored in cleartext?
  • Does LDAP synchronization mean that now I have an additional security risk of all passwords of all my AD users being stored in one more database?
  • Is this something that other people are concerned about?

Thanks.

3 answers

1 accepted

Hi

that is my understanding of the LDAP-sync:

# Jira stores no passwords

# Authentification is made against LDAP-Directory

# Synchronisations means, that for example usernames, groups and groupmemberships are copied to the internal Jira-Directory so that permission-queries etc can be realized faster

That's what I thought as well, but this document https://confluence.atlassian.com/display/JIRA/Connecting+to+an+LDAP+Directory

has a list of settings that need to be configured and in "User Schema" there's

User Password Attribute

The attribute field to use when loading a user's password. Example:

  • uni

How is this used?

Hi

just had a look into the DB (cwd_users) where i found the table-column 'credentials' which seems to store the encrypted password...

so the answer to your initial questions..

  • Does Jira replicate them in its database too?
  • Does Jira store them hashed or are they stored in cleartext?
  • Does LDAP synchronization mean that now I have an additional security risk of all passwords of all my AD users being stored in one more database?

.. must be:

Passwords are stored in the Jira DB (cwd-users) but they are hashed and can not be converted into clearext?!

I think there has to be an attribute for pw cause the admin-user has to store his pw somewhere but i dont know why Ldap-users pws have to be stored ...

That's what I saw too. At the same time, disconnecting LDAP connection (e.g. disabling the route on firewall) prevents Jira from authenticating LDAP users which means that it checks with the server anyway. So, the purpose of storing passwords is still unclear.

Pretty weird that you have the password hash stored in the cwd_user table for LDAP users. There shouldn't be any, it should show 'no pass' (or similar) instead. May I know what type of LDAP connection have you configured? What is the directory_id for the users that has the encrypt password in database?

As for the 'user password attribute', I believe it is for JIRA to determine which attribute is the password for the user. If it is not specified, how can JIRA know which attribute is the password in LDAP and which to retrieve for the authentication?

I actually take that back - a few users from AD have something in credential field. Majority of my directory users' entries have value "nopass" in the credential field. I still wonder, what is that about...

Zulfadli,

Like I mentioned earlier, I have "nopass" for credential field for all LDAP users. That's solved.

However, I'm still curious - does Jira at any point during authentication query the password directly from LDAP?

I do think Septa has made it clear on his previous reply

LDAP users credentials are keep in the LDAP server and JIRA will refer into it whenever an authentication process occurred.

Hi, In regards to LDAP users password, JIRA does not stored it at its database nor synchronize it. LDAP users credentials are keep in the LDAP server and JIRA will refer into it whenever an authentication process occurred. Hope it clarified your doubts. Cheers, Septa Cahyadiputra

Septa, in this case, what does synchronization do?

Synchronization will retrieve all user informations that is configured to be retrieved. Such as e-mail address and others. In the delegation processs, Confluence retrieve this information during authentication process which means Confluence retrieve the user information one in a time while synchronization, it will retrieve all users information in one process.

For example, in synchronization you should be able to see the users data after the synchronization process done while in delegation process, you would need to wait till the users authenticate against Confluence.

Hi,

we are using a MS AD, for this kind of LDAP Jira fills the 'user password attribute' with 'unicodePwd'...

So if i clear the field and sync with the directory, will the pwds be purged from the Jira DB without any troubles?

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Thursday in Jira

5 ways you can make the most of Jira Software and Bitbucket Cloud

As part of the Bitbucket product team I'm always interested in better understanding what kind of impact the use of our tools have on the way you work. In a recent study we conducted of software devel...

79 views 0 5
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you