Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Questions about switching to use LDAP Authentication

NickW
NickW December 10, 2013

OK....

I know little about LDAP but I am being asked questions about using it for our JIRA installation. I have read various documentation (https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal+Directory+with+LDAP+Authentication) and there seem to be multiple ways of implementing it. so to my questions...

1. It appears it can be used just for authentication or can be used to control group membership - is that correct?

2. If we implemenet only LDAP Authentication my assumption is that all the existing user accounts have to be linked to the LDAP account in someway to get the groups etc. But I havent seen anything about this or how to do it. Is my thinking wrong?

3. I am in a global organisation with a very large number of users is it possible to only let certain users access JIRA? i.e. we dont want to blow the licence limit because curious employees have been trying to login.

4. Obviously I do not want to bring the whole system down, so what would be the best way to trail and roll such a change out?

5. Do we loose anything by switching to LDAP?

Many thanks for four help

Nick

Answer
Watch
Like Be the first to like this
230 views

1 answer

1 accepted

0 votes
Answer accepted
Tiago Comasseto
Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 10, 2013

Hey Nick,

Regarding your questions:

1. It appears it can be used just for authentication or can be used to control group membership - is that correct?

You can implement JIRA/LDAP integration in two ways:

You can use the groups from your LDAP in both options.

2. If we implemenet only LDAP Authentication my assumption is that all the existing user accounts have to be linked to the LDAP account in someway to get the groups etc. But I havent seen anything about this or how to do it. Is my thinking wrong?

Since version 5.0.3 (JRA-24213), JIRA has a feature to migrate users between the Internal and Internal with Delegated Authentication directories.

However, after this migration, the LDAP authentication will only work if the usernames are exactly the same as the usernames in your LDAP (including case sensitive).

3. I am in a global organisation with a very large number of users is it possible to only let certain users access JIRA? i.e. we dont want to blow the licence limit because curious employees have been trying to login.

You can restric the LDAP scope as in this doc. It's for Crowd appliction, but it's pretty much the same for JIRA.

4. Obviously I do not want to bring the whole system down, so what would be the best way to trail and roll such a change out?

You may create a test instance as suggested in this doc.

5. Do we loose anything by switching to LDAP?

The tickets and other settings in JIRA rely on usernames, so if the usernamea in JIRA and LDAP match you won't loose anything.

I hope it helps.

Cheers

View More Comments
NickW
NickW December 10, 2013

BOOM!!! that was my brain exploding!! Thanks for the response Tiago..

with ref to :
I can create a new user directory which is
'Internal with LDAP Authentication'

it says ....Enter the values for the settings, as described below. which includes many things including schema and group schema. Do I need to set these up as all I want is LDAP to do authentication and not manage the groups. Or are these different groups being talked about?

having created this do I delete the existing directory?? Confused as it suggests switching orders ie. having multiple directories iin this article...but elsewhere it says having users with the same names in different directories is very bad as it causes issues with permissions etc.

Above you wrote:
>> Since version 5.0.3 (JRA-24213), JIRA has a feature to migrate users between
theInternal and Internal with Delegated Authentication directories.

>> However, after this migration, the LDAP authentication will only work if the usernames are exactly the same as the usernames in your LDAP (including case sensitive).
Does this mean that the internal usernames have to be changed to match the LDAP names in the existing directory??
Cheers
Nick

Like
Tiago Comasseto
Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 10, 2013

Hey Nick,

When using Internal with LDAP Authentication directory, if you don't want to manage the group in your LDAP, you just need to leave the option Synchronise Group Memberships unmarked.

After the new Internal with LDAP Authentication directory is created, you can just move it to the top position. I don't usually suggest to delete the other directories, intead you can disable them if you wish. It has the same effect and delete the directory, but with the advantage of being able to enable it again if it's needed for some reason.

And yes, befone migrate the users between the directories, the first thing I advise you to do is adjust usernames in JIRA and LDAP to match.

Since JIRA version 6.x it's now possible to rename users that belong to the Internal directory (see this improvement request). However, it's only possible one user at a time and, at this stage, this is the only supported option to rename users.

Cheers

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events