Microsoft Active Directory Synch

Jerry Su June 18, 2017

Hello,

QUESTION:
1. Jira uses Microsoft Active Directory authentication.


Recent changes to the new Microsoft Active Directory, for example: users who originally used the old Microsoft Active Directory -->abc account, using the new Microsoft Active Directory authentication, whether the account needs to be Migrate, the original Microsoft Active Directory will be with the new Microsoft Active Directory users Sync data?

2. Jira Microsoft Active Directory settings: https://confluence.atlassian.com/adminjiraserver071/connecting-to-an-ldap-directory-802592350.html

This question is not good to describe ...
When fully set up, all AD Server "users" user lists are imported into Jira USER DIRECTORIES, provided that all AD Server users are placed in the users folder and USER DIRECTORIES can see the correct User list. However, if I move the AD Server sub-department folder and each user into the individual department folder, I will not be able to see all the user list, but only in the "users".

How to fix this problem?

How does Microsoft Active Directory need to be modified?

1 answer

0 votes
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 20, 2017

I understand that you have an existing Microsoft AD server as a user directory in JIRA and have some concerns about switching user directories.   But I am somewhat confused by your questions, as they are not clear to me.

If the usernames that exist in JIRA are the same as the usernames in the new AD directory, then what you can do is just add a new user directory in JIRA with the new AD server settings.   When the time comes to switch the user directories, in JIRA you can just re-order the priority of the user directories.  The directory on top will be used when users try to authenticate.  If the user exists in multiple directories, only the top ordered directory is used to authenticate that user.   Only if the username does not exist in the top directory will the subsequent directories be used to try to authenticate that user.

JIRA's built in user migration feature won't work with a user directory that is in a connected configuration (that is to say one that syncs and not a delegated directory).   But you shouldn't have to migrate the users if they already actually exist in the new AD server.

We need to know more about your current configuration.  In JIRA are you using the Read only, Read only with local groups, or the Read/write option for these user directories?

If your AD server is also syncing over groups, then the jira user memberships to those AD groups can only be applied to jira users that are logged in from that same directory.  This can get very confusing if you have 2 or more AD/LDAP instances connected to JIRA with the same group names.   The only exception to this user-group correspondence is if you are using the Read only with local groups option.  And even then that just allows you to place these AD/LDAP users into a local group that was created in the JIRA Internal user directory.   For some instances that do not want to manage the group memberships as they relate to JIRA in AD/LDAP, the read only with local group option allows you to manage the group memberships directly in JIRA.

If I understand correctly you are trying to make a change to the OU in the AD instance, but are not seeing the groups after doing so... only the users.   If that is the case, then we would likely need to focus on what DN settings you are using for this directory in JIRA, and need to pay closer attention to the ldap filters being used to bring over the users and groups.  It could be that your filter is restricting what objects get brought into JIRA.

Suggest an answer

Log in or Sign up to answer