Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira LDAP integration and user passwords

Leo Catallo
Leo Catallo August 22, 2013

I would like to set up Jira in a way that would be visible from Internet (and thus accessible to our partners) and at the same time would authenticate them with our Acitve Directory.

LDAP integration seems to be fairly straightforward in Jira, however I couldn't find any details as to what exactly does "synchronization" do. Looks like it basically replicates the user catalog from AD in Jira's database and the question I have to which I couldn't find an answer is: how are user passwords treated?

  • Does Jira replicate them in its database too?
  • Does Jira store them hashed or are they stored in cleartext?
  • Does LDAP synchronization mean that now I have an additional security risk of all passwords of all my AD users being stored in one more database?
  • Is this something that other people are concerned about?

Thanks.

Answer
Watch
Like Martin Dulák likes this
4231 views

4 answers

1 accepted

0 votes
Answer accepted
[]D []-[] [] []
[]D []-[] [] []_ August 22, 2013

Hi

that is my understanding of the LDAP-sync:

# Jira stores no passwords

# Authentification is made against LDAP-Directory

# Synchronisations means, that for example usernames, groups and groupmemberships are copied to the internal Jira-Directory so that permission-queries etc can be realized faster

View More Comments
Leo Catallo
Leo Catallo August 23, 2013

That's what I thought as well, but this document https://confluence.atlassian.com/display/JIRA/Connecting+to+an+LDAP+Directory

has a list of settings that need to be configured and in "User Schema" there's

User Password Attribute

The attribute field to use when loading a user's password. Example:

  • uni

How is this used?

Like
[]D []-[] [] []
[]D []-[] [] []_ August 29, 2013

Hi

just had a look into the DB (cwd_users) where i found the table-column 'credentials' which seems to store the encrypted password...

so the answer to your initial questions..

  • Does Jira replicate them in its database too?
  • Does Jira store them hashed or are they stored in cleartext?
  • Does LDAP synchronization mean that now I have an additional security risk of all passwords of all my AD users being stored in one more database?

.. must be:

Passwords are stored in the Jira DB (cwd-users) but they are hashed and can not be converted into clearext?!

I think there has to be an attribute for pw cause the admin-user has to store his pw somewhere but i dont know why Ldap-users pws have to be stored ...

Like
Leo Catallo
Leo Catallo August 29, 2013

That's what I saw too. At the same time, disconnecting LDAP connection (e.g. disabling the route on firewall) prevents Jira from authenticating LDAP users which means that it checks with the server anyway. So, the purpose of storing passwords is still unclear.

Like
Zul NS _Atlassian_
Zul NS _Atlassian_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 29, 2013

Pretty weird that you have the password hash stored in the cwd_user table for LDAP users. There shouldn't be any, it should show 'no pass' (or similar) instead. May I know what type of LDAP connection have you configured? What is the directory_id for the users that has the encrypt password in database?

As for the 'user password attribute', I believe it is for JIRA to determine which attribute is the password for the user. If it is not specified, how can JIRA know which attribute is the password in LDAP and which to retrieve for the authentication?

Like
Leo Catallo
Leo Catallo August 29, 2013

I actually take that back - a few users from AD have something in credential field. Majority of my directory users' entries have value "nopass" in the credential field. I still wonder, what is that about...

Like
Leo Catallo
Leo Catallo August 30, 2013

Zulfadli,

Like I mentioned earlier, I have "nopass" for credential field for all LDAP users. That's solved.

However, I'm still curious - does Jira at any point during authentication query the password directly from LDAP?

Like
Zul NS _Atlassian_
Zul NS _Atlassian_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 30, 2013

I do think Septa has made it clear on his previous reply

LDAP users credentials are keep in the LDAP server and JIRA will refer into it whenever an authentication process occurred.

Like
Reply
1 vote
Septa Cahyadiputra
Septa Cahyadiputra
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 22, 2013
Hi, In regards to LDAP users password, JIRA does not stored it at its database nor synchronize it. LDAP users credentials are keep in the LDAP server and JIRA will refer into it whenever an authentication process occurred. Hope it clarified your doubts. Cheers, Septa Cahyadiputra
View More Comments
Leo Catallo
Leo Catallo August 22, 2013

Septa, in this case, what does synchronization do?

Like
Septa Cahyadiputra
Septa Cahyadiputra
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 23, 2013

Synchronization will retrieve all user informations that is configured to be retrieved. Such as e-mail address and others. In the delegation processs, Confluence retrieve this information during authentication process which means Confluence retrieve the user information one in a time while synchronization, it will retrieve all users information in one process.

For example, in synchronization you should be able to see the users data after the synchronization process done while in delegation process, you would need to wait till the users authenticate against Confluence.

Like
Reply
0 votes
Troy_Pawleska
Troy Pawleska November 29, 2018

I synced LDAP with Jira and all was working great I could login with my AD password, until I changed it in Jira, now I have two passwords, I can't get them to sync back up now. I'd like to have a single sign on.

Reply
0 votes
[]D []-[] [] []
[]D []-[] [] []_ September 1, 2013

Hi,

we are using a MS AD, for this kind of LDAP Jira fills the 'user password attribute' with 'unicodePwd'...

So if i clear the field and sync with the directory, will the pwds be purged from the Jira DB without any troubles?

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events