Jira - LDAP only for SD customers

I would like to set up JIRA Service Desk so that users, when the arrive on the SD portal, can use their AD credentials to log in and create service requests. Is there a way to do this without counting towards JIRA's overall license limit (for the PM part of JIRA)?

5 answers

This widget could not be displayed.
Steven Behnke Community Champion Oct 09, 2015

How do you currently configure your directory?

This widget could not be displayed.

In user management -> user directories I have an active directory server configured and it is looking for a user and group DN to authenticate. They then get added to a default group membership: jira-administrators,jira-developers,jira-users Is there a way to point to another AD OU and let 'all active users' have a login which lets them create an issue on the service desk? (using another account because it wouldn't let me comment =( )

This widget could not be displayed.
Steven Behnke Community Champion Oct 09, 2015

... your default group membership applies the jira-users, jira-developers, jira-administrators groups huh. Wow.

This widget could not be displayed.

Yeah, and it's watching the AD group called 'Users' and the security group called 'Jira Administrators'. I've got a 10 user license as we test things before expanding out to the rest of the PM team. What would be helpful is letting me know if I need to have JIRA user licenses for every person who asks a question on Service Desk?

This widget could not be displayed.
Steven Behnke Community Champion Oct 09, 2015

Pertaining to your default group membership, my comment was just that it seemed a little crazy to apply Administrators to all users, it just doesn't seem like an ideal configuration off-hand. However, if you're just testing, I think you have it under control with that explanation, since it's only people with "JIRA Administrators" in your AD environment. Let's get to your issue then.

jira-users is what is licensing your users in this case (or any group you configure to have USE permissions, best to keep it simple and use a dedicated group for this). To explain this further: Any ACTIVE USERS within the group JIRA-USERS will count towards your JIRA license. Thus, we usually ensure that this group is the group that allows 'access.'

The way you have it set up, you are using Default Group Membership to license users within your application. All users within 'All Users, JIRA Administrators' are able to log into this connector. All of these users are then applied with Access/License (jira-users).

 

Let's clear up an assumption first. This may be important with your directory setup!!!

  1. Logging in, users will attempt each directory (in order)
  2. If they are not found in a directory, the service will attempt the next available directory
  3. If they are found in a directory, the service will attempt to authenticate them
    1. If they pass, they will log in
    2. If they fail, they will not log in (they will NOT attempt against another directory)

 

So, there is two workarounds to your issue –  

Using a single directory connector connected to your AD environment

  • Disable default group membership in JIRA/Crowd
    • Manually manage the group jira-users
    • Manually manage the group service-desk-customers

Using two directory connectors connected to your AD environment

  • Active Directory connector, "All Users, JIRA Administrators"
    • Apply jira-users to license users and grant access
    • Apply jira-developers
    • Apply jira-administrators
  • Active Directory connector, "All Users, Employees"
    • Apply service-desk-customers

Thanks so much. I will create another connector to authenticate based on 'all users' OU and 'employees' security group and set default group membership to service-desk-customers. Thanks a ton!

Steven Behnke Community Champion Oct 09, 2015

It is no problem at all. I think you will have no problems with this configuration assuming the users can ONLY authenticate through ONE directory connector. That is key.

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted Aug 06, 2018 in Jira Service Desk

A is for Activate: Share your top Jira Service Desk onboarding tips for new users!

Hi, everyone! Molly here from the Jira Service Desk Product Marketing Team :).  In the spirit of this month's  august-challenge, we're sourcing stories of Jira Service Desk activation fro...

534 views 23 15
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you