Jira with LDAP-Auth and PosixGroups


i want to evaluate Jira and I have here a Problem with the LDAP-Authentication. The LDAP-Server is an Apache-DS.

The users are loaded correct, the groups also. But the membership to a group is not loaded.

In these Groups the memberUid is only the uid, not the full dn like cn=Max Payne,ou=people,o=company.

Is there a way to let jira work with these groups? I have no authorization to change our LDAP-schemas.


4 answers

1 vote
David Chan Atlassian Team Dec 26, 2012

does the uid match the username you defined for JIRA?

JIRA grabs the user name depending on the attribute you defined within the User Schema Settings > User Name RDN Attribute. By default, this is "cn" for Apache DS.

So in your case, if your memberships are based of the uid, then the User Name RDN Attribute should also use the uid field.


I have changed this field to "uid" but it doesn't work. There is no change i could recognize.


I have a similar problem. We are evaluating Jira with a Zimbra-based ldap backend.
The username field is "uid" and
the groups are stored in an objectclass=posixGroup

# developers, groups, mydomain.com
dn: cn=developers,ou=groups,dc=mydomain,dc=com
gidNumber: 10007
displayName: Software Developers
cn: developers
description: Software Developers
memberUid: benc
memberUid: malcolms
objectClass: posixGroup

I have done a manual ldapserach from the command line which gets the answer I need ..

ldapsearch -x -LL -b ou=groups,dc=mydomain,dc=com "(&(objectclass=posixGroup)(memberUid=malcolms))" cn
version: 1

dn: cn=developers,ou=groups,dc=mydomain,dc=com
cn: developers

In the LDAP configuratuion page, I have ..

Group Schema Settings
Group Object Class: posixGroup
Group Object Filter: (objectclass=posixGroup)
Group Name Attribute: cn
Group Description Attribute: description

Membership Schema Settings
Group Members Attribute: memberUid
User Membership Attribute: uid
Use the User Membership Attribute: [*] When finding the user's group membership

I have used wireshark to trace the network packets to the ldap server and I can see that the search filter that Jira is using is

Filter: (&(objectclass=posixGroup)(memberUid=uid=malcolms,ou=people,dc=mydomain,dc=com))

This is fine when the group class is "groupOfUniqueNames" where the members are stored with their full dn. e.g.

objectclass: groupOfUniqueNames
uniqueMember: uid=testuser,ou=people,dc=example,dc=com

How can Jira be configured to just use the (memberUid=malcolms) when the group objectclass is posixGroup ?

Bad news.

Having spent some time working through this problem with jira support, the final outcome is that it will not work :(

The group mapping in this version of Jira only works when the Group Object Class is of type "groupOfUniqueNames", where the group member search is fully qualified.

We are running v5.2.10

Good news, I spoke too soon.

It seems that the reason it was not working was I had selected the wrong directory type.

"Open LDAP" instead of "Open LDAP (Read-Only Posix Schema)" - the important bit is the fact that its a Posix Schema, with the side effect that Jira only has read-only support (i think).

Also found this post which had the same problem and fixed it the same way.


Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,729 views 17 21
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you