We are looking into adding an additional User Directory and I need advice.
We already have a "Microsoft Active Directory (Ready Only)" user directory that synchronises a "ML-JIRA" AD group with JIRA (it is a mailing list). This is no longer sustainable because we are having to manually add people to this AD group.
I've tested creating another "User Directory" that follows the method for Connecting JIRA to an Internal Directory with LDAP authentication (with copying users on first login) and I've set this directory to be the SECOND directory in the list.
Everything seems to work okay:
Users can now login to JIRA without the JIRA admins adding them to the ML-JIRA group in AD. (YAY!)
Later, the users are automatically added to the ML-JIRA list (via outside automated process) so we can still easily email all JIRA users from Outlook.
I noticed that after the user is added to JIRA and the first directory syncs, the read only Microsoft Active Directory takes precedence... 2 accounts show up in the cwd_users table, but only one account shows up in the user list with a directory of "active-directory" (which is fine).
It seems that when this happens, all the issues are magically associated with the "new" user and that first user directory is used from then on for authentication.
Is this configuration okay? Can you foresee any issues using the authentication in this way?
I've already configured the synchronization groups to be the same...and it seems to work (users logging in to JIRA without being added to my AD group are automatically ending up in the right groups in JIRA).
However, I don't know if I'm missing something... has anyone done this, are there any known issues or things I should watch out for?
When you have the same user associated to more than one User Directory, JIRA will always associated them to the higher directory containing them.
JIRA uses the user names to verify they are the same user and all issues/comments/etc will remain associated to the user, regardless of the directory he's in.
The main difference between your old directory and the new one, is that the new one synchronizes users at the time they log into JIRA, while the old directory synchs on a set interval of time.
I'm not sure if you'd still need the old directory in your scenario, but it doesn't seem to cause any problems too, so I believe you may continue as you are now fine.
Awesome... everything looked okay in our tests... so we'll continue.
Also, the reason we'd want the old directory is that some people will exist in User Pickers before they EVER login. In order to get them to show up in a user picker, we'll need to keep the old directory that syncs automatically. (At least, that is how I understand it).
Atlassian Summit is an excellent opportunity for in-person support, training, and networking.Learn more
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG