Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

mapping groups in MS AD via LDAP with Jira/Confluence

Rachid Amajoud
Rachid Amajoud November 16, 2017

Let's say i have 3 roles in Jira:

-Jira-users

-Jira-administrators

Jira-developers

AND in AD domain groups:

-jira_user

-Jira admins

-jira_develop

When I give a new user a certain role like jira_develop in AD, this user should be synchronised with the correct group in Jira local group (jira-developers)

Is this possible when I set an LDAP connection for each group or can I just set  LDAP connection and use filters to get the right users from AD to right local groups in Jira?

How can this be done?

thx

Answer
Watch
Like Be the first to like this
4929 views

1 answer

0 votes
josh
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 16, 2017

I'm a bit confused but as long as you make your AD groups members of your project roles, once you add members to the AD groups (and after a sync) those users will have access to those projects according to the permission scheme. Hopefully your permission scheme uses these roles.

Additionally, you shouldn't need multiple directory connections. You can write one filter to pull in these groups and the group members all at once.

Group filter: (&(objectCategory=Group)(|(sAMAccountName=jira_user)(sAMAccountName=jira_develop)(sAMAccountName=jira_admins))

User filter: (&(objectClass=person)(|(memberOf=CN=jira_user,OU=blah,OU=domain,OU=com)(memberOf=CN=jira_develop,OU=blah,OU=domain,OU=com)(memberOf=CN=jira_admin,OU=blah,OU=domain,OU=com)))

View More Comments
Rachid Amajoud
Rachid Amajoud November 17, 2017

hi

Josh Steckle

thx for your answer, i will try this! But what do you mean by 

"Hopefully your permission scheme uses these roles." :-)

The role names in Jira are different then the role names(groups) in AD, so where in the config above do you refer to the Jira local groups?

 

thx

Like
Rachid Amajoud
Rachid Amajoud November 17, 2017

Hi Josh,

in this case, what will be then the Base DN? And should OU=domain,OU=com not be DC=domain,DC=com?

And Additional User/Group DN stays empty with just LDAP Read permissions !

 example: 

domain.com

      OU=LAS Vegas

               OU=software

                       OU=confluence

                                (group) =  jira-user (role nested = jira-default)

                                 (group) =  jira_admins (role nested = jira-administrators))

                                 (group) =  jira_develop (role nested = jira-programmers)

And i am using nested groups!

 

thx

R.

Like
josh
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 17, 2017

Your base DN could be as simple as "DC=domain,DC=com" - depending on where your user account OU is. This is what I use on mine due to the nature of our AD structure.

One thing to consider is to create a "master" group that contains all relevant groups to be used within JIRA.

Lets say underneath the OU=confluence, you create a new group "jira_groups" and you add jira_user, jira_admins and jira_develop as nested members. In that situation, you could use these filters. I assume when you said you use nested groups, it means that you have other groups nested within jira_user, etc.

User filter: (&(objectClass=person)(memberof:1.2.840.113556.1.4.1941:=CN=jira_groups,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com))

Group filter: (&(objectCategory=Group)(|(sAMAccountName=jira_groups)(memberof:1.2.840.113556.1.4.1941:=CN=jira_groups,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)))

This uses a function of AD specific query syntax known as LDAP_MATCHING_RULE_IN_CHAIN, basically it picks up all levels of nesting below the specified object. See these two links for more: https://confluence.atlassian.com/crowdkb/active-directory-user-filter-does-not-search-nested-groups-715130424.html

https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx

 

Edit:

An additional reason I suggest using a "master" group is due to JRASERVER-36979

The maximum length of an ldap group/user filter is 255 characters. So if you wanted to pull in all nested groups by naming jira_users, jira_admins and jira_develop individually, the filter would look like the following, but that would be 344 characters and therefore impossible.

(&(objectClass=person)(|(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)(memberof:1.2.840.113556.1.4.1941:=CN=jira_admins,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)(memberof:1.2.840.113556.1.4.1941:=CN=jira_develop,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)))

Like
Rachid Amajoud
Rachid Amajoud November 17, 2017

Thx Josh,

i see! But if I set 3 user directories (LDAP AD) to the same server with different Sync intervals, just to map the users of the 3 groups from AD to Local groups in Jira, would this work?

The meaning of al this, is that I just want to pull the users of a specific group in AD en put them in the right local group of Jira, the groups already exist at the both sites.

grtz

Like
josh
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 17, 2017

I personally wouldn't want the performance overhead of three syncs. It might work, but things like users in multiple groups might come up and cause issues.

Like
Rachid Amajoud
Rachid Amajoud November 17, 2017

Josh,

The meaning of al this, is that I just want to pull the users of a specific group in AD en put them in the right local group of Jira, the groups already exist at the both sites.

So that I can just manage users in AD and not necessary in Jira it self.

 

thx again Josh :-)

Like
Rachid Amajoud
Rachid Amajoud November 20, 2017

Josh,

in the User Schema Settings, what would be then the User Name Attribute?? sAMAccountName???

 

grtz

Rachid

Like
Lars Olav Velle
Lars Olav Velle
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 20, 2017

sAMAccountName is often used. You could also use userPrincipalName or even mail if you want.

Like
josh
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 20, 2017

I use samaccountname -- use whichever one is more prevalent in your organization if this is a new instance of JIRA.

Like
Rachid Amajoud
Rachid Amajoud November 21, 2017

thx for your reply!

But still have a problem with nested groups, i've tried with just 1 group

 (&(objectClass=person)(|(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com)

and it seems that Jira don't find the netsted group!

I choose the option "Rea Only with local groups" to put the users from the AD group in the local group "confluence-users",

but it doesn't work! :-(

Somebody other option?

 

thx!

Like
josh
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 21, 2017

If you pasted your filter exactly, there's a syntax error:

 (&(objectClass=person)(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com))

Like
Rachid Amajoud
Rachid Amajoud November 21, 2017

Josh,

the caracters in bold are not case-sensitive i hope?

 (&(objectClass=person)(memberof:1.2.840.113556.1.4.1941:=CN=jira_users,OU=confluence,OU=software,OU=Las Vegas,DC=domain,DC=com))

 

grtz

R.

Like
josh
josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 21, 2017

It should not be case sensitive, but strictly speaking, memberOf is properly capitalized as bold here.

Like
Rachid Amajoud
Rachid Amajoud November 21, 2017

thx Josh, i hope that will solve the problem ;-)

Like
Rachid Amajoud
Rachid Amajoud November 21, 2017

Josh,

 

doesn't work, he just copies the AD group(not the group that is nested) to Jira with no users! :-(

grtz

R.

Like
Petter Gonçalves
Petter Gonçalves
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 18, 2020

Hey @Rachid Amajoud

I know this is an old thread, but were you able to find a solution for your last request?

Please, share your solution with the rest of the community or let us know if there is anything else we can help with.

Like
Attila Salánki
Attila Salánki January 4, 2021

Hi @Petter Gonçalves,

 

I have an other question in similar topic. I would like to know that what groups comes from AD, is it possible anyway? I tried some database's query, but these did not works.

Thank you!

Attila

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events