We have a local JIRA instance with its own internal directory for authentication & authorization and now planning to upgrade to Crowd. While integrating with Crowd (evaluation product), I faced some issues and I hope to get some help from this group for the same.
A. It uses its own internal database /directory for authentication and authorization (later I updated this for Crowd integration)
B. It has all Jira groups: jira_users, jira_developers & jira_administrator and all groups, including jira_adminstrator, have more than one user
C. I am part of all groups.
1. Installed evaluation copy of Crowd with its own embedded database on a separate machine (where Jira is NOT running)
2. - Created Active Directory group link
3. - Added a Crowd connector in ‘User Directories’ of existing Jira (but did not configure for SSO);
4. - Added a Jira application in Crowd and pointed it to our existing Jira (specified in the above step)
5. - Configured the AD group (created in step 2) for the Jira application configured in step 4; authentication is like this: anyone in this configured AD group is allowed to access the Jira application
6. - From Crowd, ran an authentication test with my windows credentials and it passed
Although authentication test passed from Crowd, I am unable to login to Jira using windows credentials; I am always getting "user name and password are wrong" error message!
Can anyone tell me what is the mistake that I did and how to correct? In addition to this problem, I would also like to get clarification for following questions:
1. After Crowd integration, we want people from our local Jira groups (i.e. already existing people in jira_users jira_developers and jira_administrators in our local instance of JIRA) only to access our Jira but not everyone in the configured AD. How can I achieve this?
2. One of our products deal with Jira programmatically. After this Crowd integration, will there be any change with respect to authentication and authorization from our product perspective? (i.e., can users continue using our product with AD credentials without making any changes to our product (at present users are using JIRA managed credentials).
1. After adding AD link in the Crowd, I am able to view users in that AD but not groups. Because of this, while configuring Jira application, I could not set specific group of people to access the application (and hence I allowed everyone in that AD)
Directory ID: 1
Name: JIRA Internal Directory
Created date: Wed Feb 27 16:58:19 IST 2013
Updated date: Wed Feb 27 16:58:19 IST 2013
Allowed operations: [CREATE_GROUP, CREATE_ROLE, CREATE_USER, DELETE_GROUP, DELETE_ROLE, DELETE_USER, UPDATE_GROUP, UPDATE_GROUP_ATTRIBUTE, UPDATE_ROLE, UPDATE_ROLE_ATTRIBUTE, UPDATE_USER, UPDATE_USER_ATTRIBUTE]
Implementation class: com.atlassian.crowd.directory.InternalDirectory
Encryption type: atlassian-security
Directory ID: 10000
Name: Crowd Server
Created date: Wed Jul 03 11:42:34 IST 2013
Updated date: Thu Jul 04 10:48:33 IST 2013
Allowed operations: [UPDATE_GROUP_ATTRIBUTE, UPDATE_USER_ATTRIBUTE]
Implementation class: com.atlassian.crowd.directory.RemoteCrowdDirectory
Encryption type: null
"application.password": (not shown)
Too many questions. Not sure I am addressing all
As you suggested, I created another JIRA internal directory that authenticates using AD. This worked and thanks a lot. Now I have another question:
- I configured this newly created internal directory in such a way that, anyone who logs-in for the first time will be authenticatd against the specified AD and if it succeeds, they will be added to jira-users. This actually has a problem for us because, we have an application that uses JIRA projects for bug reporting. Now, as anyone in the AD can be authenticated, any AD-user can use our application which we want to control. Can you please tell me how can I prevent someone using our application although they are in the AD? (earlier we were explicitly managing this using JIRA internal directory user management)
Looking for your help.
First I have a question, you mentioned that you've created the groups in Crowd, but you also mentioned jira_users with underline (_), instead of a dash (-). Could check this?
The default would be jira-users, this may be one of the problems as the global permissions in JIRA are set this way.
Another thing, I see JIRA Internal Directory is on the top position, this can be a problem if you want to log with the users from Crowd, because if you have two users with the same username, one in each directory, you will only be able to authenticate with the credential of the user that belongs to the directory listed on the top.
I hope this helps.
Hi, thanks for the response.
It was just a typo in this post - all groups are as defined by JIRA (i.e., they are separated by a dash only)
And for the second point, JIRA internal directoy is on top because, after I faced login problem, I set the default directory to its internal directory rather than Crowd
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot