We use our Jira server for different projects. The first one we have started is open to external users with the ability for them to create their own account in Jira.
Now, we need to start a new project for our staff and we have a LDAP that could be used for authentication.
Is it possible to have in the same server the two kinds of authentication : LDAP for our staff and internal Jira directory for external users ?
Nous utilisons notre serveur Jira pour plusieurs projets. Le premier projet que nous avons mis en oeuvre est ouvert à des utilisateurs externes, avec la possibilité pour eux de créer leur propre compte dans Jira.
Maintenant, nous avons un nouveau projet pour nos besoin internes qui sera ouvert à notre personnel et notre LDAP pourrait servir pour l'authentification de ces utilisateurs.
Est-il possible d'avoir les deux modes d'authentification sur le même serveur : LDAP pour notre personnel et répertoire interne à Jira pour les utilisateurs externes à notre organisation ?
Hello Phillipe, bonjour Phillipe (et c'est tout je peut dis en francais, je dois continuer en anglais),
it is possible, even with older Jira Versions.
For current Jira versions you simply have to create a secnod user directory. Be sure to list it under the internal directory in the directory list.
Here is the excellent Atlassian documentation: https://confluence.atlassian.com/display/JIRA/Configuring+User+Directories
You can user Read Only LDAP with local Groups, if you want to be sure that Jira does not interfere with your LDAP setup.
Thank you for your answer.
I've configured the new User directory with the type "OpenLDAP (Read-Only Posix Schema)" and testing answer it's OK but when I try to log in Jira with a new user present in LDAP, the connexion is rejected and I find this message in atlassian-jira-security.log :
2012-09-27 12:08:33,198 TP-Processor7 anonymous 728x407x1 1jt7hyy 172.26.3.21 /rest/gadget/1.0/login login : 'pcassagnes' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
System Admin tells me that he can't find a connexion from Jira server to LDAP server.
Is there a place where I can see in the Jira Server if it has called LDAP server ?
Jira synchronises ever 60 minutes with LDAP and checks only user login in meantime.
And during your setup you have made an "ldap connecton test" if there was no errer (and I assume there was none) then Jira connects to LDAP correctly.
Have you set the location of your ldap groups? (Jira needs to read those).
If you don't want to create a jira-users group in LDAP (containing all of your ldap users that have to be able to log in to jira) then you have to enable a given LDAP group in Jira for Log in (thats in the GLOBAL settings)
The permission for the LDAP Group is: JIRA Users
Then your LDAP Users are able to log in to Jira.
Hint: I think the easier way is to create LDAP groups, named: "jira-administrators" "jira-developers" and "jira-users"
I don't understand the User Directory config screen same as I understand what you say in your last comment !
On the User Directory config screen, I can read, under the label "Default Group Memberships:"
A comma-separated list of groups that users will be added to when they first log in. These groups will be created if they don't already exist.
And for me it means that the user will be added in the Default Group Memberships in Jira when he logs in for the first time.
The Default Group Memberships was set by default to "jira-users" but in my french Jira, the equivalent group is called "GrpUtilisateurs" so I've changed this but same result : unknown Jira user existing in LDAP is refused par Jira.
I'va also tried to change the type of directory to simply "Open LDAP" and testing was OK but same result trying to log in with a new user.
that mens, that you have only authentification done by LDAP.
If you can, please try the following (IN A TEST ENVORONMENT!):
- Use Directory Type "OpenLDAP"
- Put in your LDAP Details (LogonUser for Jira, Base DN User DN (without baseDN) and GroupDN (without baseDN)
- Mark it READ ONLY
- Under User Schmea Settings (I don't know the french title for that part of the LDAP screen) make sure that you use the correct User Password Encryption Scheme
- Klick on save and test:
- Put in your LDAP User for extended Testing
- Klick on Test Settings
Be back tomorrow, good luck
System admin told me that an account was not required to connect to our LDAP but it was false. Then he has created an account for Jira and it works for the users present in LDAP.
But there is still a little problem...
When a new external user "Sign Up" to obtain an account on our Jira server, it's included in "Internal with LDAP Authentication User Directory" and then Jira ask our Open LDAP to check password and, of course, it fails because the external user is not present in our LDAP.
Is it possible to specify that new accounts created by "Sign Up" option of the welcome screen must be included in "JIRA Internal Directory" ?
Yes, I've found in the doc that new users are always created in the first directory of the list.
So I've put JIRA Internal Directory in first position and it works just like I want :
- new external users are created in JIRA Internal Directory
- new internal users found in our LDAP are created in Internal with LDAP Authentication User Directory".
Thank you very much for your help !
Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot