What are the differences between using LDAP with local groups and Internal with LDAP authentication on Jira?

There are two ways to setup partial Directory authentication in Jira but the differences between them are not quite well documented. Which are they?

  • LDAP with local groups
  • Internal with LDAP authentication

I am interested about ALL things that are different between this two types of setups.

I discovered few of them, but it is essential to know them all.

I know:

  • On LDAP-with-local-groups if the user is not returned by the LDAP, Jira will remove all group memberships from the user, without providing any way to put them back, other than manually. I think that this can happen even when one of the delegated LDAP servers fail to repond (you get a partial response).
  • On Internal-with-LDAP-auth nothing happens when the user is removed, still he will not be able to login obviously.
  • Even if Jira nows have an "active" attribute attached to users, there is no way of changing this attribute based on what LDAP returns. Obviously, Jira LDAP settings should include an LDAP filter which extracts this information, there a

2 answers

1 accepted

Hi Sorin,

It is quite tough to explain the difference between both of the mentioned directories without specifying which area you are interested in.

In general, the integration method between JIRA and LDAP differenciate by two methods:

There are several point that differenciate these method

  1. Delegated method does not have the ability to write into LDAP server while CONNECTOR have
  2. DELEGATED method does not synchronize to your LDAP as CONNECTOR is
  3. DELEGATED retrieve user information during the authentication process, CONNECTOR retrieve user information during synchronization process
  4. DELEGATED could retrieve group membership during the authentication process, CONNECTOR able to retrieve LDAP groups and mapped the membership during the synchronization process

The above differrences is just some of the general points, hope this would help clarify your doubts on this.

Septa Cahyadiputra

Thanks, clearly the linked page gives a lot of usefull information about how directory works. Does it happen for you to know if there are any performance implications or others regarding reliability and the posibility to fallback to other directory server if one is down?

Please refer to our limitation documentation here:

If you do have a clone LDAP server you could create two directory while the other is disabled when the first order LDAP server is working fine. When its down, just activate the second directory and disable the first one. This should works fine as JIRA use username to mapped the content instead of ID, so if the username is exactly the same, it should be fine.

Sorry to inform you that this process could not be automate by default.

You have already answered your question :)

In simple terms, delegated LDAP uses LDAP only for authentication. All group information is internal to JIRA and LDAP connection is readonly. On the other hand a direct LDAP connection can sync users, groups from LDAP to JIRA. It can also write back groups and users to LDAP.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published yesterday in Agile

How Scrum works? It starts with training and education

To answer “How scrum works,” most of the teams I've worked with first addressed the question: “where to start?”  That question applies to both implementation and improvements on the Scrum framew...

143 views 3 5
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you