Let's say i have 3 roles in Jira:
-Jira-users
-Jira-administrators
Jira-developers
AND in AD domain groups:
-jira_user
-Jira admins
-jira_develop
When I give a new user a certain role like jira_develop in AD, this user should be synchronised with the correct group in Jira local group (jira-developers)
Is this possible when I set an LDAP connection for each group or can I just set LDAP connection and use filters to get the right users from AD to right local groups in Jira?
How can this be done?
thx
I'm a bit confused but as long as you make your AD groups members of your project roles, once you add members to the AD groups (and after a sync) those users will have access to those projects according to the permission scheme. Hopefully your permission scheme uses these roles.
Additionally, you shouldn't need multiple directory connections. You can write one filter to pull in these groups and the group members all at once.
Group filter: (&(objectCategory=Group)(|(sAMAccountName=jira_user)(sAMAccountName=jira_develop)(sAMAccountName=jira_admins))
User filter: (&(objectClass=person)(|(memberOf=CN=jira_user,OU=blah,OU=domain,OU=com)(memberOf=CN=jira_develop,OU=blah,OU=domain,OU=com)(memberOf=CN=jira_admin,OU=blah,OU=domain,OU=com)))
hi
Josh Steckle |
thx for your answer, i will try this! But what do you mean by
"Hopefully your permission scheme uses these roles." :-)
The role names in Jira are different then the role names(groups) in AD, so where in the config above do you refer to the Jira local groups?
thx
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Josh,
in this case, what will be then the Base DN? And should OU=domain,OU=com not be DC=domain,DC=com?
And Additional User/Group DN stays empty with just LDAP Read permissions !
example:
domain.com
OU=LAS Vegas
OU=software
OU=confluence
(group) = jira-user (role nested = jira-default)
(group) = jira_admins (role nested = jira-administrators))
(group) = jira_develop (role nested = jira-programmers)
And i am using nested groups!
thx
R.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Your base DN could be as simple as "DC=domain,DC=com" - depending on where your user account OU is. This is what I use on mine due to the nature of our AD structure.
One thing to consider is to create a "master" group that contains all relevant groups to be used within JIRA.
Lets say underneath the OU=confluence, you create a new group "jira_groups" and you add jira_user, jira_admins and jira_develop as nested members. In that situation, you could use these filters. I assume when you said you use nested groups, it means that you have other groups nested within jira_user, etc.
User filter: (&(objectClass=person)(memberof:1.2.840.113556.1.4.1941:=CN=jira_groups,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com))
Group filter: (&(objectCategory=Group)(|(sAMAccountName=jira_groups)(memberof:1.2.840.113556.1.4.1941:=CN=jira_groups,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)))
This uses a function of AD specific query syntax known as LDAP_MATCHING_RULE_IN_CHAIN, basically it picks up all levels of nesting below the specified object. See these two links for more: https://confluence.atlassian.com/crowdkb/active-directory-user-filter-does-not-search-nested-groups-715130424.html
https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx
Edit:
An additional reason I suggest using a "master" group is due to JRASERVER-36979
The maximum length of an ldap group/user filter is 255 characters. So if you wanted to pull in all nested groups by naming jira_users, jira_admins and jira_develop individually, the filter would look like the following, but that would be 344 characters and therefore impossible.
(&(objectClass=person)(|(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)(memberof:1.2.840.113556.1.4.1941:=CN=jira_admins,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)(memberof:1.2.840.113556.1.4.1941:=CN=jira_develop,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)))
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thx Josh,
i see! But if I set 3 user directories (LDAP AD) to the same server with different Sync intervals, just to map the users of the 3 groups from AD to Local groups in Jira, would this work?
The meaning of al this, is that I just want to pull the users of a specific group in AD en put them in the right local group of Jira, the groups already exist at the both sites.
grtz
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I personally wouldn't want the performance overhead of three syncs. It might work, but things like users in multiple groups might come up and cause issues.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Josh,
The meaning of al this, is that I just want to pull the users of a specific group in AD en put them in the right local group of Jira, the groups already exist at the both sites.
So that I can just manage users in AD and not necessary in Jira it self.
thx again Josh :-)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Josh,
in the User Schema Settings, what would be then the User Name Attribute?? sAMAccountName???
grtz
Rachid
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
sAMAccountName is often used. You could also use userPrincipalName or even mail if you want.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I use samaccountname -- use whichever one is more prevalent in your organization if this is a new instance of JIRA.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
thx for your reply!
But still have a problem with nested groups, i've tried with just 1 group
(&(objectClass=person)(|(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)
and it seems that Jira don't find the netsted group!
I choose the option "Rea Only with local groups" to put the users from the AD group in the local group "confluence-users",
but it doesn't work! :-(
Somebody other option?
thx!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If you pasted your filter exactly, there's a syntax error:
(&(objectClass=person)(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com))
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Josh,
the caracters in bold are not case-sensitive i hope?
(&(objectClass=person)(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com))
grtz
R.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It should not be case sensitive, but strictly speaking, memberOf is properly capitalized as bold here.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Josh,
doesn't work, he just copies the AD group(not the group that is nested) to Jira with no users! :-(
grtz
R.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey @Rachid Amajoud
I know this is an old thread, but were you able to find a solution for your last request?
Please, share your solution with the rest of the community or let us know if there is anything else we can help with.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I have an other question in similar topic. I would like to know that what groups comes from AD, is it possible anyway? I tried some database's query, but these did not works.
Thank you!
Attila
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.