Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

What are the differences between using LDAP with local groups and Internal with LDAP authentication on Jira?

Sorin Sbarnea (
Sorin Sbarnea (Citrix)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 12, 2012

There are two ways to setup partial Directory authentication in Jira but the differences between them are not quite well documented. Which are they?

  • LDAP with local groups
  • Internal with LDAP authentication

I am interested about ALL things that are different between this two types of setups.

I discovered few of them, but it is essential to know them all.

I know:

  • On LDAP-with-local-groups if the user is not returned by the LDAP, Jira will remove all group memberships from the user, without providing any way to put them back, other than manually. I think that this can happen even when one of the delegated LDAP servers fail to repond (you get a partial response).
  • On Internal-with-LDAP-auth nothing happens when the user is removed, still he will not be able to login obviously.
  • Even if Jira nows have an "active" attribute attached to users, there is no way of changing this attribute based on what LDAP returns. Obviously, Jira LDAP settings should include an LDAP filter which extracts this information, there a
Answer
Watch
Like Be the first to like this
1819 views

2 answers

1 accepted

5 votes
Answer accepted
Septa Cahyadiputra
Septa Cahyadiputra
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 12, 2012

Hi Sorin,

It is quite tough to explain the difference between both of the mentioned directories without specifying which area you are interested in.

In general, the integration method between JIRA and LDAP differenciate by two methods:

There are several point that differenciate these method

  1. Delegated method does not have the ability to write into LDAP server while CONNECTOR have
  2. DELEGATED method does not synchronize to your LDAP as CONNECTOR is
  3. DELEGATED retrieve user information during the authentication process, CONNECTOR retrieve user information during synchronization process
  4. DELEGATED could retrieve group membership during the authentication process, CONNECTOR able to retrieve LDAP groups and mapped the membership during the synchronization process

The above differrences is just some of the general points, hope this would help clarify your doubts on this.

Cheers,
Septa Cahyadiputra

View More Comments
Sorin Sbarnea (
Sorin Sbarnea (Citrix)
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 12, 2012

Thanks, clearly the linked page gives a lot of usefull information about how directory works. Does it happen for you to know if there are any performance implications or others regarding reliability and the posibility to fallback to other directory server if one is down?

Like
Septa Cahyadiputra
Septa Cahyadiputra
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 12, 2012

Please refer to our limitation documentation here:

If you do have a clone LDAP server you could create two directory while the other is disabled when the first order LDAP server is working fine. When its down, just activate the second directory and disable the first one. This should works fine as JIRA use username to mapped the content instead of ID, so if the username is exactly the same, it should be fine.

Sorry to inform you that this process could not be automate by default.

Like
Reply
0 votes
Renjith Pillai
Renjith Pillai
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 12, 2012

You have already answered your question :)

In simple terms, delegated LDAP uses LDAP only for authentication. All group information is internal to JIRA and LDAP connection is readonly. On the other hand a direct LDAP connection can sync users, groups from LDAP to JIRA. It can also write back groups and users to LDAP.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events