Jira with LDAP-Auth and PosixGroups

Dennis Ditte December 19, 2012

Hey,

i want to evaluate Jira and I have here a Problem with the LDAP-Authentication. The LDAP-Server is an Apache-DS.

The users are loaded correct, the groups also. But the membership to a group is not loaded.

In these Groups the memberUid is only the uid, not the full dn like cn=Max Payne,ou=people,o=company.

Is there a way to let jira work with these groups? I have no authorization to change our LDAP-schemas.

Regards

4 answers

1 vote
David Chan
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 26, 2012

does the uid match the username you defined for JIRA?

JIRA grabs the user name depending on the attribute you defined within the User Schema Settings > User Name RDN Attribute. By default, this is "cn" for Apache DS.

So in your case, if your memberships are based of the uid, then the User Name RDN Attribute should also use the uid field.

Dennis Ditte January 6, 2013

Hi,

I have changed this field to "uid" but it doesn't work. There is no change i could recognize.

0 votes
Malcolm Shamwana - I.T. May 7, 2013

Good news, I spoke too soon.

It seems that the reason it was not working was I had selected the wrong directory type.

"Open LDAP" instead of "Open LDAP (Read-Only Posix Schema)" - the important bit is the fact that its a Posix Schema, with the side effect that Jira only has read-only support (i think).

Also found this post which had the same problem and fixed it the same way.

http://stackoverflow.com/questions/14707019/ldap-user-are-not-put-automatically-into-ldap-group-in-jira

0 votes
Malcolm Shamwana - I.T. May 7, 2013

Bad news.

Having spent some time working through this problem with jira support, the final outcome is that it will not work :(

The group mapping in this version of Jira only works when the Group Object Class is of type "groupOfUniqueNames", where the group member search is fully qualified.

We are running v5.2.10

0 votes
Malcolm Shamwana - I.T. April 17, 2013

Hi

I have a similar problem. We are evaluating Jira with a Zimbra-based ldap backend.
The username field is "uid" and
the groups are stored in an objectclass=posixGroup

# developers, groups, mydomain.com
dn: cn=developers,ou=groups,dc=mydomain,dc=com
gidNumber: 10007
displayName: Software Developers
cn: developers
description: Software Developers
memberUid: benc
memberUid: malcolms
objectClass: posixGroup

I have done a manual ldapserach from the command line which gets the answer I need ..

ldapsearch -x -LL -b ou=groups,dc=mydomain,dc=com "(&(objectclass=posixGroup)(memberUid=malcolms))" cn
version: 1

dn: cn=developers,ou=groups,dc=mydomain,dc=com
cn: developers

In the LDAP configuratuion page, I have ..

Group Schema Settings
Group Object Class: posixGroup
Group Object Filter: (objectclass=posixGroup)
Group Name Attribute: cn
Group Description Attribute: description

Membership Schema Settings
Group Members Attribute: memberUid
User Membership Attribute: uid
Use the User Membership Attribute: [*] When finding the user's group membership

I have used wireshark to trace the network packets to the ldap server and I can see that the search filter that Jira is using is

Filter: (&(objectclass=posixGroup)(memberUid=uid=malcolms,ou=people,dc=mydomain,dc=com))

This is fine when the group class is "groupOfUniqueNames" where the members are stored with their full dn. e.g.

objectclass: groupOfUniqueNames
uniqueMember: uid=testuser,ou=people,dc=example,dc=com

How can Jira be configured to just use the (memberUid=malcolms) when the group objectclass is posixGroup ?

Suggest an answer

Log in or Sign up to answer