Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

[Solved] LDAP + internal authentication

Philippe Leména
Philippe Leménager
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 26, 2012

[English version]

Hello,

We use our Jira server for different projects. The first one we have started is open to external users with the ability for them to create their own account in Jira.

Now, we need to start a new project for our staff and we have a LDAP that could be used for authentication.

Is it possible to have in the same server the two kinds of authentication : LDAP for our staff and internal Jira directory for external users ?

[French version]

Bonjour,

Nous utilisons notre serveur Jira pour plusieurs projets. Le premier projet que nous avons mis en oeuvre est ouvert à des utilisateurs externes, avec la possibilité pour eux de créer leur propre compte dans Jira.

Maintenant, nous avons un nouveau projet pour nos besoin internes qui sera ouvert à notre personnel et notre LDAP pourrait servir pour l'authentification de ces utilisateurs.

Est-il possible d'avoir les deux modes d'authentification sur le même serveur : LDAP pour notre personnel et répertoire interne à Jira pour les utilisateurs externes à notre organisation ?

Answer
Watch
Like Be the first to like this
1446 views

1 answer

1 accepted

1 vote
Answer accepted
Manse Wolken
Manse Wolken
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 26, 2012

Hello Phillipe, bonjour Phillipe (et c'est tout je peut dis en francais, je dois continuer en anglais),

it is possible, even with older Jira Versions.

For current Jira versions you simply have to create a secnod user directory. Be sure to list it under the internal directory in the directory list.

Here is the excellent Atlassian documentation: https://confluence.atlassian.com/display/JIRA/Configuring+User+Directories

You can user Read Only LDAP with local Groups, if you want to be sure that Jira does not interfere with your LDAP setup.

Have fun

Manse

View More Comments
Philippe Leména
Philippe Leménager
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 26, 2012

Thank you for your answer.

I've configured the new User directory with the type "OpenLDAP (Read-Only Posix Schema)" and testing answer it's OK but when I try to log in Jira with a new user present in LDAP, the connexion is rejected and I find this message in atlassian-jira-security.log :

2012-09-27 12:08:33,198 TP-Processor7 anonymous 728x407x1 1jt7hyy 172.26.3.21 /rest/gadget/1.0/login login : 'pcassagnes' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

System Admin tells me that he can't find a connexion from Jira server to LDAP server.

Is there a place where I can see in the Jira Server if it has called LDAP server ?

Like
Manse Wolken
Manse Wolken
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 26, 2012

Jira synchronises ever 60 minutes with LDAP and checks only user login in meantime.
And during your setup you have made an "ldap connecton test" if there was no errer (and I assume there was none) then Jira connects to LDAP correctly.

Have you set the location of your ldap groups? (Jira needs to read those).

If you don't want to create a jira-users group in LDAP (containing all of your ldap users that have to be able to log in to jira) then you have to enable a given LDAP group in Jira for Log in (thats in the GLOBAL settings)

https://confluence.atlassian.com/display/JIRA/Managing+Global+Permissions

The permission for the LDAP Group is: JIRA Users

Then your LDAP Users are able to log in to Jira.

Hint: I think the easier way is to create LDAP groups, named: "jira-administrators" "jira-developers" and "jira-users"

Cheers,

Manse

Like
Philippe Leména
Philippe Leménager
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 26, 2012

I don't understand the User Directory config screen same as I understand what you say in your last comment !

On the User Directory config screen, I can read, under the label "Default Group Memberships:"

A comma-separated list of groups that users will be added to when they first log in. These groups will be created if they don't already exist.

And for me it means that the user will be added in the Default Group Memberships in Jira when he logs in for the first time.

The Default Group Memberships was set by default to "jira-users" but in my french Jira, the equivalent group is called "GrpUtilisateurs" so I've changed this but same result : unknown Jira user existing in LDAP is refused par Jira.

I'va also tried to change the type of directory to simply "Open LDAP" and testing was OK but same result trying to log in with a new user.

Like
Manse Wolken
Manse Wolken
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 26, 2012

Hm,
that mens, that you have only authentification done by LDAP.
If you can, please try the following (IN A TEST ENVORONMENT!):
- Use Directory Type "OpenLDAP"
- Put in your LDAP Details (LogonUser for Jira, Base DN User DN (without baseDN) and GroupDN (without baseDN)
- Mark it READ ONLY
- Under User Schmea Settings (I don't know the french title for that part of the LDAP screen) make sure that you use the correct User Password Encryption Scheme
- Klick on save and test:
- Put in your LDAP User for extended Testing
- Klick on Test Settings

What happens?

Be back tomorrow, good luck

Like
Philippe Leména
Philippe Leménager
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 27, 2012

System admin told me that an account was not required to connect to our LDAP but it was false. Then he has created an account for Jira and it works for the users present in LDAP.

But there is still a little problem...

When a new external user "Sign Up" to obtain an account on our Jira server, it's included in "Internal with LDAP Authentication User Directory" and then Jira ask our Open LDAP to check password and, of course, it fails because the external user is not present in our LDAP.

Is it possible to specify that new accounts created by "Sign Up" option of the welcome screen must be included in "JIRA Internal Directory" ?

Like
Manse Wolken
Manse Wolken
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 27, 2012

I assume that you have to make sure that the Jira internal directory ist listet as first directory in the directory list. And it might help, if you put your LDAP directory as "read-only" in the connector.

But I am not sure.

Like
Philippe Leména
Philippe Leménager
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 27, 2012

Yes, I've found in the doc that new users are always created in the first directory of the list.

So I've put JIRA Internal Directory in first position and it works just like I want :

- new external users are created in JIRA Internal Directory

- new internal users found in our LDAP are created in Internal with LDAP Authentication User Directory".

Thank you very much for your help !

Problem solved.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events