mapping groups in MS AD via LDAP with Jira/Confluence

Let's say i have 3 roles in Jira:

-Jira-users

-Jira-administrators

Jira-developers

AND in AD domain groups:

-jira_user

-Jira admins

-jira_develop

When I give a new user a certain role like jira_develop in AD, this user should be synchronised with the correct group in Jira local group (jira-developers)

Is this possible when I set an LDAP connection for each group or can I just set  LDAP connection and use filters to get the right users from AD to right local groups in Jira?

How can this be done?

thx

1 answer

0 votes

I'm a bit confused but as long as you make your AD groups members of your project roles, once you add members to the AD groups (and after a sync) those users will have access to those projects according to the permission scheme. Hopefully your permission scheme uses these roles.

Additionally, you shouldn't need multiple directory connections. You can write one filter to pull in these groups and the group members all at once.

Group filter: (&(objectCategory=Group)(|(sAMAccountName=jira_user)(sAMAccountName=jira_develop)(sAMAccountName=jira_admins))

User filter: (&(objectClass=person)(|(memberOf=CN=jira_user,OU=blah,OU=domain,OU=com)(memberOf=CN=jira_develop,OU=blah,OU=domain,OU=com)(memberOf=CN=jira_admin,OU=blah,OU=domain,OU=com)))

hi

Josh Steckle

thx for your answer, i will try this! But what do you mean by 

"Hopefully your permission scheme uses these roles." :-)

The role names in Jira are different then the role names(groups) in AD, so where in the config above do you refer to the Jira local groups?

 

thx

Hi Josh,

in this case, what will be then the Base DN? And should OU=domain,OU=com not be DC=domain,DC=com?

And Additional User/Group DN stays empty with just LDAP Read permissions !

 example: 

domain.com

      OU=LAS Vegas

               OU=software

                       OU=confluence

                                (group) =  jira-user (role nested = jira-default)

                                 (group) =  jira_admins (role nested = jira-administrators))

                                 (group) =  jira_develop (role nested = jira-programmers)

And i am using nested groups!

 

thx

R.

Your base DN could be as simple as "DC=domain,DC=com" - depending on where your user account OU is. This is what I use on mine due to the nature of our AD structure.

One thing to consider is to create a "master" group that contains all relevant groups to be used within JIRA.

Lets say underneath the OU=confluence, you create a new group "jira_groups" and you add jira_user, jira_admins and jira_develop as nested members. In that situation, you could use these filters. I assume when you said you use nested groups, it means that you have other groups nested within jira_user, etc.

User filter: (&(objectClass=person)(memberof:1.2.840.113556.1.4.1941:=CN=jira_groups,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com))

Group filter: (&(objectCategory=Group)(|(sAMAccountName=jira_groups)(memberof:1.2.840.113556.1.4.1941:=CN=jira_groups,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)))

This uses a function of AD specific query syntax known as LDAP_MATCHING_RULE_IN_CHAIN, basically it picks up all levels of nesting below the specified object. See these two links for more: https://confluence.atlassian.com/crowdkb/active-directory-user-filter-does-not-search-nested-groups-715130424.html

https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx

 

Edit:

An additional reason I suggest using a "master" group is due to JRASERVER-36979

The maximum length of an ldap group/user filter is 255 characters. So if you wanted to pull in all nested groups by naming jira_users, jira_admins and jira_develop individually, the filter would look like the following, but that would be 344 characters and therefore impossible.

(&(objectClass=person)(|(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)(memberof:1.2.840.113556.1.4.1941:=CN=jira_admins,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)(memberof:1.2.840.113556.1.4.1941:=CN=jira_develop,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)))

Thx Josh,

i see! But if I set 3 user directories (LDAP AD) to the same server with different Sync intervals, just to map the users of the 3 groups from AD to Local groups in Jira, would this work?

The meaning of al this, is that I just want to pull the users of a specific group in AD en put them in the right local group of Jira, the groups already exist at the both sites.

grtz

Josh Steckler Community Champion Nov 17, 2017

I personally wouldn't want the performance overhead of three syncs. It might work, but things like users in multiple groups might come up and cause issues.

Josh,

The meaning of al this, is that I just want to pull the users of a specific group in AD en put them in the right local group of Jira, the groups already exist at the both sites.

So that I can just manage users in AD and not necessary in Jira it self.

 

thx again Josh :-)

Josh,

in the User Schema Settings, what would be then the User Name Attribute?? sAMAccountName???

 

grtz

Rachid

sAMAccountName is often used. You could also use userPrincipalName or even mail if you want.

Josh Steckler Community Champion Nov 20, 2017

I use samaccountname -- use whichever one is more prevalent in your organization if this is a new instance of JIRA.

thx for your reply!

But still have a problem with nested groups, i've tried with just 1 group

 (&(objectClass=person)(|(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)

and it seems that Jira don't find the netsted group!

I choose the option "Rea Only with local groups" to put the users from the AD group in the local group "confluence-users",

but it doesn't work! :-(

Somebody other option?

 

thx!

Josh Steckler Community Champion Nov 21, 2017

If you pasted your filter exactly, there's a syntax error:

 (&(objectClass=person)(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com))

Josh,

the caracters in bold are not case-sensitive i hope?

 (&(objectClass=person)(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com))

 

grtz

R.

Josh Steckler Community Champion Nov 21, 2017

It should not be case sensitive, but strictly speaking, memberOf is properly capitalized as bold here.

thx Josh, i hope that will solve the problem ;-)

Josh,

 

doesn't work, he just copies the AD group(not the group that is nested) to Jira with no users! :-(

grtz

R.

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

2,991 views 12 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot