Need help on integrating JIRA with Crowd

We have a local JIRA instance with its own internal directory for authentication & authorization and now planning to upgrade to Crowd. While integrating with Crowd (evaluation product), I faced some issues and I hope to get some help from this group for the same.

Existing JIRA setting (i.e., before installing Crowd)

A. It uses its own internal database /directory for authentication and authorization (later I updated this for Crowd integration)

B. It has all Jira groups: jira_users, jira_developers & jira_administrator and all groups, including jira_adminstrator, have more than one user

C. I am part of all groups.

Steps followed in installing and configuring Crowd:

1. Installed evaluation copy of Crowd with its own embedded database on a separate machine (where Jira is NOT running)

2. - Created Active Directory group link

3. - Added a Crowd connector in ‘User Directories’ of existing Jira (but did not configure for SSO);

4. - Added a Jira application in Crowd and pointed it to our existing Jira (specified in the above step)

5. - Configured the AD group (created in step 2) for the Jira application configured in step 4; authentication is like this: anyone in this configured AD group is allowed to access the Jira application

6. - From Crowd, ran an authentication test with my windows credentials and it passed

Problem:

Although authentication test passed from Crowd, I am unable to login to Jira using windows credentials; I am always getting "user name and password are wrong" error message!

Can anyone tell me what is the mistake that I did and how to correct? In addition to this problem, I would also like to get clarification for following questions:

1. After Crowd integration, we want people from our local Jira groups (i.e. already existing people in jira_users jira_developers and jira_administrators in our local instance of JIRA) only to access our Jira but not everyone in the configured AD. How can I achieve this?

2. One of our products deal with Jira programmatically. After this Crowd integration, will there be any change with respect to authentication and authorization from our product perspective? (i.e., can users continue using our product with AD credentials without making any changes to our product (at present users are using JIRA managed credentials).

Observations:

1. After adding AD link in the Crowd, I am able to view users in that AD but not groups. Because of this, while configuring Jira application, I could not set specific group of people to access the application (and hence I allowed everyone in that AD)

=== Directories configured ===

Directory ID: 1

Name: JIRA Internal Directory

Active: true

Type: INTERNAL

Created date: Wed Feb 27 16:58:19 IST 2013

Updated date: Wed Feb 27 16:58:19 IST 2013

Allowed operations: [CREATE_GROUP, CREATE_ROLE, CREATE_USER, DELETE_GROUP, DELETE_ROLE, DELETE_USER, UPDATE_GROUP, UPDATE_GROUP_ATTRIBUTE, UPDATE_ROLE, UPDATE_ROLE_ATTRIBUTE, UPDATE_USER, UPDATE_USER_ATTRIBUTE]

Implementation class: com.atlassian.crowd.directory.InternalDirectory

Encryption type: atlassian-security

Attributes:

"user_encryption_method": "atlassian-security"

Directory ID: 10000

Name: Crowd Server

Active: true

Type: CROWD

Created date: Wed Jul 03 11:42:34 IST 2013

Updated date: Thu Jul 04 10:48:33 IST 2013

Allowed operations: [UPDATE_GROUP_ATTRIBUTE, UPDATE_USER_ATTRIBUTE]

Implementation class: com.atlassian.crowd.directory.RemoteCrowdDirectory

Encryption type: null

Attributes:

"application.name": "myTestApplication"

"application.password": (not shown)

"com.atlassian.crowd.directory.sync.currentstartsynctime": "null"

"com.atlassian.crowd.directory.sync.issynchronising": "false"

"com.atlassian.crowd.directory.sync.lastdurationms": "563"

"com.atlassian.crowd.directory.sync.laststartsynctime": "1372915112566"

"crowd.server.url": "http://myServer:8095/crowd/"

"crowd.sync.incremental.enabled": "true"

"directory.cache.synchronise.interval": "3600"

"useNestedGroups": "false"

3 answers

1 accepted

I got it...I just created groups in AD with required people and synced only those groups into JIRA!

Too many questions. Not sure I am addressing all

  1. Check the atlassian-jira-security.log and see the error reported. If it says "does not have USE permission", it means the user is not part of any group who is configured to login to JIRA under JIRA Global Permissions for JIRA Users
  2. Not sure if you really need an external Crowd, you can just confiure, Internal Directory with Delegated Authentication and connect to the AD. Once configured, you can migrate the existing users to this new directory and they will start authenticating with it.
  3. Also you can disable copy user on first login and only existing users can login, and not everyone from AD

Thanks for the quic response Renjith.

I will try your suggestion and let you know the result.

Regards

Aravind

Hey Renjith,

As you suggested, I created another JIRA internal directory that authenticates using AD. This worked and thanks a lot. Now I have another question:

- I configured this newly created internal directory in such a way that, anyone who logs-in for the first time will be authenticatd against the specified AD and if it succeeds, they will be added to jira-users. This actually has a problem for us because, we have an application that uses JIRA projects for bug reporting. Now, as anyone in the AD can be authenticated, any AD-user can use our application which we want to control. Can you please tell me how can I prevent someone using our application although they are in the AD? (earlier we were explicitly managing this using JIRA internal directory user management)

Looking for your help.

Hey there,

First I have a question, you mentioned that you've created the groups in Crowd, but you also mentioned jira_users with underline (_), instead of a dash (-). Could check this?

The default would be jira-users, this may be one of the problems as the global permissions in JIRA are set this way.

Another thing, I see JIRA Internal Directory is on the top position, this can be a problem if you want to log with the users from Crowd, because if you have two users with the same username, one in each directory, you will only be able to authenticate with the credential of the user that belongs to the directory listed on the top.

I hope this helps.

Cheers

Hi, thanks for the response.

It was just a typo in this post - all groups are as defined by JIRA (i.e., they are separated by a dash only)

And for the second point, JIRA internal directoy is on top because, after I faced login problem, I set the default directory to its internal directory rather than Crowd

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published yesterday in Jira

5 ways you can make the most of Jira Software and Bitbucket Cloud

As part of the Bitbucket product team I'm always interested in better understanding what kind of impact the use of our tools have on the way you work. In a recent study we conducted of software devel...

53 views 0 5
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you