|
[
Permalink
| « Hide
]
Adam Harvey added a comment - 07/Jul/03 06:35 PM
Jeff- In our case, we have a corporate LDAP with over 10,000 users where we'd want to authenticate against (single sign on) and use it for profile data. However, at this time the corporate LDAP does not contain group information to the granular level we'd like, nor for us to create/modify. It'd be good to be able to use JIRA to create an Admin group, and maybe even JIRA groups based on profile data (eg, all users in New York office, or all users who's manager is Employee #43043). Our LDAP as is only contains large groupings, such as line of business or geographic location, rather than my own team of 7.
Hi Adam,
Thanks very much; just the sort of feedback we're looking for. Based on this, it sounds like a user's group should be determined by the success or failure of an arbitrary LDAP search. That would allow us to define a virtual group for "all users who's manager is Employee #43043". --Jeff We picked JIRA for eval because of it's LDAP support.
AS a matter of fact, I refuse to look at any software for our intrante that does not support LDAP. 
It would be neat if you could add support for LDAP Groups so that you can create a full JIRA account out of LDAP information. Without haviong to create the user in JIRA. Furhermore, a hook for Single-Sign-On would also help a lot. Cheers, And for the groups:
We store groups in LDAP, or more precise in ActiveDirectory. But we have a custom schema, because each location is administering themselfes. So we would have trouble if you hard-wire the LDAP query. Make it configurable, please. Slowly, we are re-creating LDAP groups in JIRA which is "not so hot". Is there a way that we can contribute?
We have a complete set for LDAP integration with JIRA (ProfileProvider, AccessProvider and modified CredentialsProvider), we do not use hardwired LDAP queries, and would suggest you do not use them as well. Our osuser config looks like this:
<provider class="com.opensymphony.module.user.provider.ldap.LDAPCredentialsProvider"> <property name="searchBase">o=companyname,c=countrycode</property> <property name="exclusive-access">true</property> </provider> Here the "query" property is a template for real ldap search query, I apologize to the user community but I'm ashamed to release our current modules, they are awfull mess. This is not something that should be associated with our company in any way At least in our organization, the groupings in Jira and in LDAP partially match each other but some groups wouldn't make sense if they were in both.
Ideally Jira's group admin would allow for arbitrary LDAP queries which would produce group, allow for direct group importing in groups were already present and then let the admins create jira-only groups. For the LDAP-based groups, please create an interface which lists all the available groups from LDAP with giving the admin the option of choosing which groups should be used in JIRA (ie, visible in the other interfaces) and under what name. In our organisation also, LDAP server (Active Directory) is used, so it's necessary to use it from JIRA, but we would like to use groups defined in JIRA AND groups defined in LDAP.
It's the same for users : we should be able to use JIRA accounts as well as using LDAP users. Of course, LDAP groups should contain only LDAP users, but JIRA Groups should contain JIRA and LDAP users. these needs are because we want to use JIRA for internal and external users. Internal users are stored into LDAP, but external users must be stored in JIRA databse +1, definitely we also need what Richard describes. at least, we do need to use LDAP with groups, and not only for authenticating: we are already defining roles for our applications. The LDAP integration in JIRA is our next step to simplify user administration. But we need a Active Directory group mapping to JIRA groups because of our existing naming conventions in AD.
A Single-Sign-On integration is not very simple due to the SPNEGO (Simple and Protected GSS-API Negotiation Mechanism). I know only the product JCSI SSO from Wedgetail. I hope that someone knows how to combine JCSI SSO and OSUser. Links: I'd suggest looking at how mod_auth_ldap in Apache works.
Basically, it uses groupOfUniqueNames. So, you specify that a bit of the app is restricted to members of the groupOfUniqueNames identified by a DN. So, given a base, maybe plug in the project key to find who has what privs: such as cn=pico-developers,ou=pico,ou=projects,o=codehaus Grab that object, and iterate to see what the members are (defined by their DNs). We're still on JIRA 2.5.3 (until our Weblogic platform is upgraded to SP2 WLSv8.1 to fix a JSP translation issue).
One minor issue for us is that all our users are in LDAP (external) however JIRA still offers the CHANGE_PASSWORD functionality on the edit profile screen (from what I see), however this does not make sense. I'm not sure of the exact impact of turning ON external user management, however with this on it is still possible to get to this change password functionality, which we can use to change a password, however the password doesn't really get set in our LDAP external repository so it is confusing for the user. So for us, whilst externalising groups is not an immediate need, addressing the above at least would be good. Hopefully these comments are relevant to this issue. Thanks. PS For our home groups apps we use Weblogic Novell authentication provider which has all the appropriate settings for configuing ldap user and group details (e.g. search bases etc). Have you considered LDAPS support with the LDAP integration? My internal security team won't let me hook anything up to LDAP that isn't using LDAP over a secure connection.
Managing groups within Jira is fine for us as there are far more granular groups in Jira than we have in our LDAP (Active Directory). Hopefully the level of integration with LDAP will be configurable. Alyssa,
LDAPS is supported on Java 1.4.2 and above. Just specify ldaps://... in your URL We are pushing ourselves into full LDAP'ing as well. We've been pondering using <a href="http://www.mirapoint.com">Mirapoint</a> as our MTA since I'm looking to absolve a lot of internal workloads through growable appliances. Mirapoint though makes their own oid/schema to store their data along side your own within your LDAP configuration for playing like active directory/exchange.
It looks like its going to integrate very well with our existing user base. Is this an idea that Jira will be employing? Create its own inheritable schema for permissions/grouping? Would that be easier than trying to integrate with posix grouping? If you span multiple departments all with the same wheel ideas the overlap might not give the permissions as intended for each group. 2c, I'll vote for the flexible approach, although I realize this means more work for you. But, based on current product, I have complete faith that you will be able to pull it off. In general we don't want to be limited or forced to implement a unique schema. The whole point of LDAP (in my mind) is one stop shopping. I want to add a user in one spot and then authorize (sorry, authorise) them to access various systems and applications. I don't want to have to add a user in one LDAP tree for system authorization, and then add them to another tree for services like Jira. Likewise, I don't want to have to add a generic first name/last name attribute AND a Jira_Firstname Jira_Lastname attribute for a Jira profile.
So for the user authentication piece, I agree with Grigoriy V. Kuznetsov that we should be able to define our own search filter resulting in a list of valid entries against which authentication occurs. This way if I want to allow users to access Jira based on group membership, I can do that. Or, if I want to allow users to access Jira based on a custom attribute or object type (perhaps JiraUser, for example), I should be able to do that too. However, getting LDAP integration to work can be quite a trick. And modifying schemas and understanding the nuances of search filters can be quite daunting. So, it should work out-of-the-box without much customization (ie authenticate against uid=username,dc=example,dc=org). I also agree with Richard THIBAULT about the ability to have "local" Jira users and groups that don't appear in the LDAP directory. So add +1 for me to his comment. Finally, changing LDAP passwords: Our configuration choices should be at a finer level, an option like "Can user change password". If jira can pull off changing an LDAP password, great, but I still want the choice of limiting where my users can change their LDAP password. Maybe I want them to change their password through an internal page that lists corporate password policies, etc. In this case, I don't want Jira to even offer the choice (or maybe give a customizable URL pointer to where they can). Or maybe I don't care where they change their password, just as long as they change it. Anyway, I look forward to seeing the final result. I'm sure it will be great! We too would find deeper LDAP integration valuable. We use AD to manage some 15,000 accounts. I see the need for group authentication from LDAP for divisional and business unit access that's managed centrally and a need for groups managed within Confluence (our current interest) where users fall across the line of business silos.
This issue still hasen't been scheduled.
Any hope that this will be resolved in the near future? We are discussing implementing this with a customer who is willing to fund some of the development, so it may happen within the next few months.
We use Oracle OID for all user management, I was a bit dissapointed when I hooked up Jira with the new LDAP integration, just to have to continue creating users. Furthermore, I had to go to a few JSP pages and kill the forgot password links etc.
Jeff, what is the statuf of this one? We, like many others, want to start using Jira for support issue management, and this is a blocker for that right now. All our internal and external users, and groups, are available in LDAP. We really really don't want to double-manage them.
Rickard,
We are hoping to put someone on this in the next few months. I can't give you a more accurate timeline than that, as it depends on hiring of new developers. Cheers, Confluence administration allows delegation of user management to Jira. This is nice, but there might probably be some added granularity so that project managers can add individual users to projects and/or groups using the GUI.
Regarding use of LDAP. Sounds great. We also use Oracle's dbms_ldap package to synronize external DB with Oracle's OID. We've written LDAP triggers to externalize managing users. Would like to do same for Jira. Haven't found example of how to do that yet. Could you get with Oracle to formulate an API much like they already have so that our triggers can hit Jira as well? If you like, I could give you the name of an OID expert who you could contact. Charlie We use CVS integaration which is tied to OS user. But only developers are on CVS and not business users who files bugs, are not on the OS on Unix/Linux box. We may need generic OS group access for business users if we were to tie OS group/users to Jira and LDAP. (Most of the projects would exsists on CVS). Just a thought ..
Kiyomi - May 12, 05 I don't particulary care about having some Jira information stored in Jira. In fact I might say I prefer this. If it's Jira specific, that's where it belongs, right?
What I would like is a more flexible way to link LDAP accounts to the Jira information. When a user logs in, I want the user object to be located by sAMAccountName, but I want the Jira information to be linked based on gUID. The Account name of the user may change!!! THe guid will not. This would basically mean the integration of a new LDAP config setting: unique.attribute, or something. For us, even a very incremental step would be a huge improvement. We have all of our users, many thousands, stored in LDAP. It would be nice to point JIRA to that LDAP instance and have JIRA automatically create their JIRA account the first time they log in. Seems like it would be fairly simple for JIRA to bypass the simple 'Create User' screen, pull those few fields from LDAP and push them into JIRA. That would alleviate me from the burdon of manually entering those names in to JIRA.
In an enterprise enviroment the improvements JRA-1962 and JRA-2398 are really needed.
Please provide new plugin types for
The default plugins can be a ldap authentication (http://www.atlassian.com/software/jira/docs/latest/ldap.html With the plugin type interface other developers or Atlassian can implement JCIFS / NTLM authentication plugins, Vintela Single Sign-On for Java (VSJ) plugins etc. A JIRA administrator should be able to select and configure more than one authentication plugin, e.g. to allow a failover with an external user doesn't exists in the active directory but in the JIRA database. Hi guys,
Just want to let you know we are actively working on a new user management module that will be used by JIRA and Confluence. First phase will be to get it integrated into JIRA and there will not be many noticable changes. This will give us a good base to build extra functionality on in the future, including many of the things mentioned on this thread. As you can imagine this is a complex change and will take some time to do. As a result I can not specify when this will happen but we do have a guy working on it full time at the moment. Cheers, Sounds great. The sooner the better. We were hoping with release 3.2, this would be available. So, if working on this, it sure would be nice to have some idea of when this might be available.
Charlie Due to the nature of this beast it is hard to say when this will make it into JIRA but we will keep you updated on the progress.
Cheers, Hi all,
The Atlassian User project is working towards better LDAP integration. We're at an early stage where we wish to test the software's ability to map to different LDAP schemata and are looking for test data. You might find the following link useful for explaining the current state of the project. Leave a comment on the page or let me know (nick@atlassian.com) if you have any further questions. http://confluence.atlassian.com/pages/viewpage.action?pageId=122526 Cheers, Before you move much further down the road of implementing connectivity to LDAP, I suggest you read the following:
<http://www.stanford.edu/~quanah/directory/email/ Although this is talking about email clients, items 1,2, and 3 all apply here. Also, I think there is an over-emphasis here about authenticating TO something from Jira. If Jira is going to survive as a product that wants to promote its capabilities of integrating in single sign-on environments, it is going to have to understand that users have authenticated prior to even getting to Jira. For example, we do this at Stanford by front-ending tomcat application with our opensource webauth product <http://webauth.stanford.edu Regards, Quanah,
if you want a real SSO in a windows enviroment, you have to use e.g. Vintela Single Sign-on for Java (VSJ) (http://www.vintela.com/products/vsj/index.php Cheers, Quanah,
Authentication is fairly easy - a SSO system like webauth can add a cookie to requests, and there's a hook in JIRA where you can add code to validate the cookie and automatically log users in: http://opensource.atlassian.com/seraph/sso.html However authorization (group management) is more difficult, and not AFAICT dealt with by frameworks like Webauth. In JIRA we need to be able to run queries like "show me all members of a group", and "show me all users in group 'jira-developers' with address matching '*@stanford.edu'". This is what the user management module does that Nick is talking about. Jeff,
Thanks for the SSO link, it is very useful, and should resolve my SSO bits with Webauth. However, the points in my previous comment still apply. We have a pool of LDAP servers (running OpenLDAP, in fact) that I run and maintain. However, the Jira LDAP stuff as currently implemented would never be able to talk to them. The basic LDAP model above appears to be based off of LDAP V2, which has been deprecated for a long time. To be a worthwhile LDAP module, it needs to support the varoius LDAP V3 bind mechanisms, and I know for a fact that JNDI does this, because we use JNDI extensively now to talk to our LDAP servers. As for your question about posixGroup, that is one way to put together group information, but that is really about UNIX group ID numbers. This is really not an LDAP group concept. "groupOfNames" is another (and what I use), and is really what most LDAP group memberships is based upon. "groupOfUniqueNames" is another objectClass dealing with groups, but generally "groupOfNames" is used instead. Again, the key to providing worthwhile LDAP support is to make it so that you can work with the LDAP servers people have deployed as opposed to what a lot of companies have done, which is to try to force the LDAP servers to work the way the company thinks they should (and those companies are often very very wrong...). And of course, someone might have their own schema defined objectClass that is used to create groups. Or, they might have an attribute that is located inside an entry that lists the groups a person belongs to. So some food for thought there. --Quanah Quanah,
I'm sure Nick would be very interested in any feedback you could give on what we're developing: http://confluence.atlassian.com/pages/viewpage.action?pageId=122526 It sounds fairly flexible, letting users specify the LDAP queries involved, but in practice we'll need feedback to know if it is flexible enough. As for authentication, OSUser and AUser both use the trick of getting the LDAP directory to authenticate a user with the supplied password (not doing the password comparison themselves). Thus JIRA doesn't care about the auth details (password formats etc). Is this what you were getting at? What do you mean by the "LDAP V2 model"? Cheers, Jeff,
I'll follow that link. On the "LDAP v2" part, what I mean is, the entire concept of using "usernames" and "passwords" is the LDAP V2 bind model. LDAP V3 allows other methods (like Certificates, Kerberos, etc). At Stanford, there are no passwords stored in the LDAP server at all. You cannot authenticate a user with a supplied password in any way, because there is nothing for it to compare that password to. If I wanted the JIRA application to be doing data lookups in our LDAP server, I'd assign it a Kerberos Keytab, and then have JIRA use the kerberos credentials from that via JDNI to do SASL/GSSAPI binds to our server to look up group information. There is no password involved anywhere, and the LDAP Server knows what DN to map the JIRA connection to via the Kerberos identity assigned to it. --Quanah There has been a lot of activity on the Confluence side for LDAP integration. It would be great to share the fruits with JIRA as well. Can we call this issue the "use Polis in JIRA" to match the direction taken by Confluence in CONF-5581
 ?
Any chance the JIRA and Confluence teams will get themselves synchronized on the LDAP thing and permit users who use both Atlassian products to perform one glorious handover of users to LDAP? (Fingers crossed...) Clarified summary in light of Polis as suggested.
An enterprise edition of a software product should allow to manage the users and groups management by a LDAP server. I don't want more!
Nick or Jeff ,
Could you provide another update on how close you're getting to providing tighter LDAP integration with JIRA (for the user management piece) and native SSO integration (vs. doing the Seraph customizations)? Target version/date? Thanks in advance. Joanna,
Unfortunately we do not have an estimate at the moment. Thanks, Could we get some more information regarding the plans and time-frames for aligning JIRA and Confluence in regards to these external user management features. I am loath to do things piecemeal, especially with s/w from the same vendor.
Have your SSO plans confused the AtlassianUser/Polis adoption plans? We also use Active Directory for our team/group mappings and would like to have JIRA access AD for passwords, permissions, etc.
Our SSO solution, Crowd
, will enable JIRA to be backed by LDAP though there will still be memory issues as our internal User implementation has not changed. So if you have a limited number of users, you could use crowd at the moment to implement a SSO across JIRA/Confluence or to do user management in LDAP.We still plan on integrating Atlassian User/Polis, though unfortunately do not have a time frame for this feature. Sorry. Cheers, To respond to the original questions asked:
Do most people use LDAP to store groups, as well as user accounts? Yes we store users and groups in the LDAP. Is there generally a clear mapping from LDAP groups to JIRA groups? To add to Jeffs comment.
Is there generally a clear mapping from LDAP groups to JIRA groups? I am proud to announce that Atlassian Crowd is now available and should solve many of the issues described in the comments above.
Using Crowd, you can define your groups in LDAP/Crowd/Custom DB and JIRA will pick up all of the group memberships that are changed. Crowd by default has an option enabled that caches the group memberships for 5 minutes, but this can be adjusted if necessary. Using this new product will allow you to have the flexible security rules you are looking for. Hmmm....while Crowd looks interesting, I'd simply like to be able to use Jira against LDAP users and groups without introducing an extra piece (both to purchase and also maintain).
Is the current answer to use Crowd? Or will there be any development to be able to use groups from LDAP? In our case, we very much need the ability to tie into LDAP groups (as we store a LARGE amount of group information in LDAP which is programatically maintained....we really try to avoid double work Thanks. I'd like to second Andrew's comments.
While Crowd has all the bells and whistles. Yes you are correct. JIRA (even latest version) has pretty poor ldap support. We (BT) wrote our own OSUser ldap implementaion for LDAP.. but its slow, as we aint optimised any of it.
I have just finished modifying atlassian-user for BT's use for confluence.. and to be honest, its very good. There is scant documentation though, but with the source code, you can figure out what is going on. So, for me, if JIRA uses atlassian-user under the covers that would be good, but it doesnt. Anyone got any other frameworks to run between JIRA and LDAP to delagate groups and users to LDAP. atlassian-user is exactly the functionality we require.. This thread started in July 2003.. thats 3 years ago.. come on. come on. If Crowd is the "promised solution" to LDAP integration, I have to say I feel we've been sold a bill of goods. We were promised an LDAP solution in these pages and on the wiki for years. Some of us have struggled through using the tough-to-integrate intermediate OSUser solution. Seriously, does Atlassian realize the ridiculous amount of work implied by Alex Fishlock's comment? It is an outrage that he has to do this.
Now Crowd is here, and it feels like we are being asked to pay a huge fee for what ought to be something built into the JIRA product itself. Really bad. If Atlassian wants to call this "legendary support", well it sounds like hollow cynicism to me. "Well, Mr. CIO, this is a great product, but to integrate it properly with your LDAP directory, you have to hire a Java programmer... or pay this small extra fee, heh heh heh." Couldnt agree more with Dan and Alex. I'm now forced to re-consider the sanity of my purchase of Enterprise JIRA and Confluence - this has a real stink to it and goes against everything I liked about the Atlassian attitude, namely great enterprise oriented, developer loved s/w, without the Serena and Telelogic bloat or stupid price tags. Reminds me of CA, "yes but then you need to buy our configurator, our adapter and our facilitator, plus the 2 months professional svcs required to install and configure it". You're going into the SSO market but how dare you push that cost to us. I would expect existing Enterprise customers to get a MASSIVE discount on Crowd but no, or just limit CROWD to work with Atlassian s/w (my other products all work with LDAP and i dont really care about SSO anyway). So my choices are - loads of DIY hacking to facilitate the oh so rare use-cases of authentication and authorisation of Atlassian s/w via LDAP/ActiveDirectory, purchasing CROWD (more expensive than the tools I'm buying it to support) or a complete shift to a another technology/vendor (i.e. SharePoint, VSTS, CollabNet anyone). Whos new on the Atlassian board?
This issue has been opened for three years. I have a total of 16 issues I have voted on, not a one has been resolved, and the average age open is currently 846 days. I wish Atlassian would be honest with all of us and just close the issues they have no intention of ever resolving. I cannot continue and make excuses internally at my company for Atlassian's lack of responsiveness.
On this issue, in particular...even Fisheye has support for LDAP groups...why is it so hard to add to an issue tracking system? One note re. John Allen's comments – Confluence has much better LDAP integration with full LDAP group support and support for multiple LDAP servers in version 2.3. If Jira had the same level of integration, I'd basically be happy (although I'd love to see both be able to pull more user metadata from LDAP as well).
Also, for us as wel this will likely make the difference between sticking with our Professional license vs. upgrading to Enterprise – we're looking at rolling Jira beyond the one department using it but need LDAP integration for that (one of the main reasons we're even looking at the Enterprise version actually). JIRA will be migrating to atlassian-user. It is a rather large undertaking, and even Confluence is not 100% converted over in 2.3. However, 2.3 has resolved most of the bugs in atlassian-user, and they are working on the rest shortly.
Justen was pointing out that there was a solution out there that would work now. It does cost money, and we don't intend it to be the final solution. Sorry for not pointing that out. Thanks for your feedback (especially about Crowd pricing) - I want to let you know that the noise you make does get through, and we are doing our best efforts to have shorter, quicker releases, where we can get more features in, and attack more of the popular features (this is now 8th most popular feature). Cheers, Scott, can you give any timeframe when this will be implemented? Thanks, I just got done setting up atlassian-user on Confluence 2.3 against OpenLDAP and found it generally usable. I liked that a user could be added from LDAP, without touching Jira. This is important for us. I added the auto-add functionality available from http://confluence.atlassian.com/display/DOC/Automatically+Adding+LDAP+users+to+the+confluence-users+Group
. Since I can't see mention of it anywhere, I'd like to add a request for TLS to be supported - we'll just have to use LDAPS for the time being. By supported I don't just mean "upgrade connection to TLS" but "reject LDAP connection if certificate isn't correct". Cheers.
Is there any estimated time to when the integration with AD is being done for Jira?
The need for it grows day by day. As I understand you are awating for the integration with Confluence and AD first to be stable, but I really hope Jira is not far away. Cheers Olle I know its not the answer some people want to hear but we have had Jira working with AD for about three months now – by using the Crowd integration.. I know their are issues around the Crowd pricing model (earlier in this thread) but one the technical front it ticks all the boxes and works really well.
Regards In our experience, LDAP integration with Confluence has been very stable since 2.2.x actually (we're still back on Confluence 2.2.10 and the LDAP part has been rock-solid).
It is also necessary to encrypt the password of the LDAP admin in the xml settings file. clear text passwords are completely banned in our corporate environment and this could be a show stopper. Basic encryption is all that is needed.
There would need to be an LDAP schema or a schema mapping to existing schema attributes.
I would say that most people who use LDAP use it for storing authorization data. After all, LDAP is not an authentication system, but as a directory server it is ideal for storing authorization information – it's why Microsoft Active directory uses LDAP for its authorization data, but Kerberos as its authentication system. Using LDAP for authentication and not authorization is just fundamentally misguided. Alex, your term "misguided" is off-putting... but the fact is, LDAP is used for authentication in some organizations and that choice is often out of the control of us here if we work for large companies who aren't the decision makers for corporate-wide authentication.
I agree with David Smiley. LDAP is used (almost primarily in some instances) as an athentication mechanism in large corporates. Banks and Telcos are good examples of this fact, where I have been/am working.
At British Telecom, we have a few LDAP servers, one for authentication (active directory), and one for profiles (Novell), and others. Although this may seem silly to some (I think so too), it actually works very well for BT. This is a typical setup though in my expererience, as LDAP as the first proper server mechanism to enable Single Sign on. So like it or not, in established corporations, LDAP is going to be around for a long while, and has good penetration, both for authentication, authorisation and profile data. atlassian-user is a good mechanism of abstracting this LDAP and other mechanisms though. The interfaces for atlassian user are well thought out. I'm sure that they will morph over time. But its a damned good start. We also store other information regarding groupings of people in Peoplesoft (oracle db). What I have done at BT is write a load of java which does all the effort with out LDAPs and oracle and then write an atlassian-user and os-user implementation to use it. This allows us to use the same code base for jira and confluence without hacks and dirtiness. But its a lot of effort to get round the fact that both these produts use different user management. I know Atlassian are working out the tasks needed to convert jira to atlassian-user. I also know that the work is an extensive change for the product so may come in numerous releases. All I hope is that it gets started and completed. I look forward to the day when this issue changes state to "In Progress" Is there any new status of this issue?
It's good to avoid password management outside of JIRA, but it would be much better to manage also the users and groups in LDAP. Using Crowd is not possible in our environment: for internal directories, it only allows internal user, but no LDAP user. Has someone implemented http://confluence.atlassian.com/display/DOC/Automatically+Adding+LDAP+users+to+the+confluence-users+Group Thanks, finger tap... (a gesture of impatience)
Hello,
you used "finger tap" in a comment for this issue. Sorry, but as a Thanks, Any possibility this might get assigned to a release at some point? (even if not assigned to the next release)
Thanks! I had this problem also (as far as user registrations go) it would be great to get it done automatically. I got the point of trying all the jelly scripts etc. and some implementations using soap but none passed trial by fire.
The result is I wrote an RCP app that talks to AD via LDAP, that has a JIRA plugin that allows a given LDAP user to be automatically be provisioned through the JIRA SOAP interface. I also added a neat right click 'add entire company' as I was fed up with automated Jira emails bouncing due to the user not existing and the fact I had to turn off user auto-creation (causing the bounce) as people got created with their email address (my company likes just the ID thanks - no option to only add by ID, shame!). This probably won't work very will for the 10K+ Jira user bases mentioned (I think it took an hour to chew through 1000) , as the JIRA SOAP api doesn't (AFAIK) yet provide a method to nominate a given group, eg 'jira-users', you have to retrieve the RemoteGroup which also contains serialised members - with 10K users, thats going to slow you down a tad. Anyone think this would be useful for them, it only helps with automated user registrations... A tickbox to 'autoprovision' from LDAP on login sure would be a nice start towards addressing this! I haven't yet had the headache of LDAP group requests but that's coming. Perhaps a plugin like confluence CSUM would help... 4years now We have alot of users in AD which does not makes sense at all, so there is no point in pulling them in JIRA through script, though i am trying to filter out dummy users someway or the other through python script.
and putting those users in jira through soap api. It would be great if this features get's in place ASAP. Hope atlassian can see the problem faced by people and react in positive.  Can we please get an update on this issue?
It seems like there are quite a few votes for it and it's been open for quite some time. Should I start developing a solution in house? Or will JIRA be able to do the same integration that Confluence has had for some time, now? posixGroup is not limited to any particular LDAP implmentation, it is defined in RFC 2307: http://www.faqs.org/rfcs/rfc2307.html
Accordingly, it is meant as an abstraction of a group of user accounts. And update would be great guys, end of calendar year and all that.
Is there any plan at all to fix this in near future.
Welcome to 2008, the year Atlassian User (and hence LDAP integration) is delivered for JIRA!
;o) Well, that's what I'm hoping to hear once the good folk from Atlassian and the JIRA team come back from well deserved holidays. This feature is (at the time of writing) #8 most popular: and taking a look at the others in the top 10, they all date from late 2002 to mid 2004, bar 1 from 2005. All with more votes. Again, looking at that list, only 2 of the top x0 are down for v4.0. Would be very interesting to see a report showing time to closure of top voted, watched, and commented issues, which may or may not show any correlation. At least we, as users, would then know whether voting and commenting had any impact on development priorities. I assume it does, but that this must be balanced with security and stability issues, along with resource constraints etc. I do greatly appreciate the incremental improvements that have been made in the last year. Pain points for out team around time tracking have been addressed, and the improvements to the version and component panels is fantastic. The integration with Confluence is coming along nicely. All things I have voted on that are major developments completed in the last year. Hopefully my next hot button (this issue) is bubbling to the top too! cheers, Nick Perhaps some useful info on why this is important:
We are interested in hearing from anyone who has developed their own group import solution for JIRA, as we may have to get there ourselves before Atlassian User arrives. Any links or example code greatly appreciated! cheers, Nick
This sounds almost identical to us! I've held off trying to do the more We all find the lack of LDAP support in JIRA a complete anathema. We can only wonder where Atlassian's true focus lies (JIRA Studio, Bamboo, acquisitions, corporate expansion).
Are there alternatives we should consider that support LDAP? I am working in a new group, not using JIRA. We are considering task tracking alternatives, and this lack of LDAP is a huge negative.
Hello guys,
I developed simple java application that basically loads data from LDAP and from Jira application (thro SOAP) and makes diff to add new users to Jira. This application is based on Atlassian Jira SOAP client example. You can download source code here. I've attached it into this Jira issue. You can find basic instruction of how to configure, build and run this application into README.txt file. For detailed instruction please see source code and Atlassian Jira SOAP client example. Hope it helps, Basically AFAIU my solution is quite similar to Andy's.
http://jira.atlassian.com/browse/JRA-1962?focusedCommentId=93299#action_93299
It works pretty good for our environment with more than 50K users ( total, not active ). That's a very handy piece of functionality.
Hi Alexey,
You are talking about 50k users, I am getting following error for 10k users This is same error as Atlassian ldap importer can you please throw a bit of light on it. 12:40:11,996 INFO org.springframework.beans.factory.support.DefaultListableBean Hi Vishwajeet,
I'm not sure, but it looks like your LDAP directory doesn't support huge amount results. In my application I use Spring Framework to make LDAP programming easy and fun. Atlassian team uses it also. I found that they encountered the same bug as you have So I would recommend to change source code of my application to retrieve LDAP results partially as described on the spring ldap docs. Lets move our discussion offline because here are too many watchers ( sorry guys ) Alex FYI, Active Directory seems to limit results to 1000 by default. With 50K users you'd probably have to code AA* - AZ* wilcard match retrieval to keep under the limit, and aggregate the results or process a chunk at a time...
I would like to see the query as flexible as possible in the user validation. We use Active Directory.
From a user management standpoint it would be nice to have the login part based upon LDAP/AD groups. The rest for my sake could be confined to Jira since now there is a role based option. Hi,
I am using timgolden's active directory python module http://tgolden.sc.sabren.com/python/active_directory.html We currently use Confluence, and had gotten to the point of evaluating jira when I stumbled upon this (stupid me, believing jira ldap integration to be at the same level as confluence). I'm halting the eval now, as we are unwilling to take a step backwards on ldap (Active Directory) integration when so many other products offer it. This issue has been open since 2004 with no progress, and Confluence has has functional ldap integration since 2.2/2.3. Apparently jira is not intended for enterprise use...
I agree with your sentiments and had this problem when we tried to expand jira usage company wide. However, we worked through it by doing the following:
I (like an earlier poster) also have a lot of different groups since I work in a university setting. We rely completely on AD for our group management, and are not willing to just import the users/groups and then manage them both in AD and Jira. Its bad enough I need to use a 3rd party auth module to add nested group support to Confluence, but to completely manage both users and groups within Jira is unacceptable. As the only administrator of Confluence, I can't take the time to make sure my AD users and groups are always synced with Jira.
Crowd is nice, but having to pay for an additional product because of lack of core functionality in Jira is not acceptable. Give Crowd out for free, or build in the functionality as promised and expected. I definitely appreciate Bob Swift's suggestions however I agree with Timothy Yanni-Lazarus – needing to use/pay for Crowd to get baseline LDAP functionality in Jira is not acceptable.
We've been using Confluence's LDAP integration for years now with great success – equivalent functionality in Jira is all that we're asking for (I realize that may not be simple but I'd presume a good bit of the Confluence code could be used in Jira). We have an Enterprise license and this has significantly slowed down rollout within our organization as well as given the product something of a bad name internally. It's taking us alot longer to deal with Jira provisioning, and an OSUser based solution doesn't seem to scale well, although we're still working through the exact nature of it's inefficiencies. It's taking alot of administration time to keep groups and users synchronised, and this means we can't move Jira to a sustainable lights out mode of operation.
Let alone bring it into our shiboleth based federated identity management framework. As you've suggested this too is a major impediment to adoption of Jira.. we simply can't manage people and groups responsively enough to keep user groups happy... well, not without having a dedicated jira system admin, which is just not viable as a support model. Bringing Jira onto atlassian user is clearly requires a difficult refactoring, but this is a major and constant burden on many customers. It's a core subsystem that drives the rest of the system, and in that respect is a fundamental dependency. It's been top 10 on the popular issues list for quite some time. Come on Atlassian, share in our pain.. :o) This issue has been open for 5 years. This makes me question Atlassian's ability to support it's product - and thus weather I should take the decision to buy Jira or not. LDAP integration just isn't that hard.
Here is an idea:
Why don't atlassian write an OSUser -> atlassian user adaptor.. This is just an implementation of osser (3 interfaces) and an adaptor (3-6 classes) to atlassian-user. This way, at least people, who have atlassian-user implementations, or want to do a better job of ldap integration, can use this.. without actually refactoring everything internally to jira.. This piece of wrk would take a week of atlassian's time.. its really not that hard. Obviously its not a proper job, but the pain of all the above people, would be reduced a lot. my concern with this approach is that the Jira <> OSUser interface is inefficient, to the point of being unworkable in our enterprise environment, even with just staff (~5000 users). It seems that the OSUser interface isn't optimised for this scale of real time query to an external directory, and halts Jira to a crawl and mostly just fails requests due to timeouts. Without a rewrite of the OSUser interface and the calling Jira codebase to scale to the enterprise, this isn't a viable solution...
nick I know you guys like use cases so here's ours. We have tens of thousands of staff so support for account creation must be close to zero. Our JIRA authenticates using Vintela SSO for Java, users are automatically created if they don't exist.
Here's our problem: one team enter tickets on behalf of other people, who may well not have jira accounts. They want to use the reporter field so the user gets emails from jira and so on. The problem is they can't create user accounts. Ideally this would work in the same way as confluence, where the user lookup is against AD. Here is my workaround. Create a custom field called Reporter visible only on issue create. A post function verifies that the reporter entered is a jira user, or creates them if not. Then it copies this value to the "real" reporter field. The problem though is that sometimes they forget to put the reporter on create, and when they edit it, they can't find the user (as it only searches jira accounts). It's also confusing because the two fields (real reporter and custom field reporter) look and behave similarly but show different search results (I'm using this cheers, jamie I don't know if this is the right place for this comment, but I'm having a heckofa time getting anything like a group to work in Jira. Jira does not see our LDAP groups, and because we are using Crowd we cannot create groups in Jira. We cannot add users to "nested" groups in Crowd either. We have only two groups: jira_admin and jira users. If somebody wants to search for all of the engineers that own issues in X project they cannot search by a group called "engineers", they have to filter each name individually.
I can partially use Jira's roles to workaround some of this limitation, but not the searching. Altogether the functionality is disappointing - the ability to use the LDAP password in Jira is almost causing more problems than it solves. - Greta Hi Greta,
If you are already using Crowd delegated directory (i.e. if Bob's suggestion does not help), can you please create a support case in the Crowd Support project in https://support.atlassian.com Kind regards, Hi,
I guess a lot of people are still waiting for this implementation to come. I this is a bug the people are reporting, because you promised to implement it in the Jira documentation to persuade people to buy the product. See: There are a lot of use use-cases and only one solution -> CROWD. Please integrate the LDAP authentication feature as promised or offer CROWD as workaround for licensed Jira companies. This documentation is the basis for our decision to buy Jira and we also bought the support. I don´t think that the support should be to offer additional products! I would be happy to be informed about your further plans concerning this issue. Cheers, Jörg "Hi,
I guess a lot of people are still waiting for this implementation to come. I this is a bug the people are reporting, because you promised to implement it in the Jira documentation to persuade people to buy the product. See: There are a lot of use use-cases and only one solution -> CROWD. Please integrate the LDAP authentication feature as promised or offer CROWD as workaround for licensed Jira companies. This documentation is the basis for our decision to buy Jira and we also bought the support. I don´t think that the support should be to offer additional products! I would be happy to be informed about your further plans concerning this issue. Cheers, Jörg" Couldn't agree more. This ticket has been open for 5 years?! Doesn't seem cool to still be saying "buy Crowd". That approach doesn't even work for MSFT anymore Added UI Mockup: <2008-11-25 12:40>
The use cases should be pretty simple (and I certainly hope Active Directory support is at the top of the list!):
1) Assume Active Directory is read-only. All products that claim "LDAP integration" should support at least the first use-case, supporting the second is a nice-to-have... The bigger the company, the less likely read/write is even an option.
Agree with Darren, my org has ~1400 people, the 'network' team owning AD do not countenance writes by anyone but themselves, and only then via MS tools. The only scenario I see being likely for writing to ldap is if you shadow a readonly ldap server with another one, eg openldap. Doable, but at a cost. Personally I'm fine with read-only.
Our institutional IDM system masters ~200,000 users (including alumni)
outside of the central directory, in an enterprise person registry (EPR). Writing back would require a very loose coupling into an SOA. nick@nickdjones.com On 27/11/2008, at 11:01 PM, "Andy Brook (JIRA)" <jira@atlassian.com> I have to reply on Andy on this.
Yes we are also a victim of this issue and were forced to use crowd for Jira and Bamboo (Confluence works great with ldap). If you really want to, you can buy two licences and since the connection from jira/confluence to crowd is only http you can put a load balancer in between. I found that writing a sync application between Jira and Active Directory worked best.
We now have an application that runs ever hour, scans all the groups, creates them in Jira, adds/removes people from the groups and creates new users if they don't exist. Also, the groups flatten all nested groups which makes it very usable for us. That certainly helps auto create users, and when users are removed from Active Directory, Jira does not choke on the missing user... cause they exist, but are not part of any groups. It was unfortunate that we had to write such a tool. It should be a built in service in Jira. Darren
Can you share those application with the JIRA community? I guess it will be better to do something open-source thus we do not have a way to 'force' Atlassian to keep promises. I guess application can be written even in C# - it gives you smooth integration with Windows environment. I would love to share it, but alas, I work for a large software company (that does not do open-source) and wrote it on company time with company resources. But, I will see what can be done.
Btw - the utility was written in C# and the code is extremely simply. 1. Connect to LDAP and Jira Hi,
It means we are going to take a look at this issue in the short term but its not yet scheduled for a particular release. Kind Regards, Andrew I'm still astounded that this widely requested feature is still not planned, even for 4.0. Who decided that OpenSocial gadgets in 4.0 was more important than proper LDAP integration?
> I'm still astounded that this widely requested feature is still not planned, even for 4.0. Who decided that OpenSocial gadgets in 4.0 was more important than proper LDAP integration?
+1 @Andres: Because Atlassian gets money if they force us to buy Crowd.
+1 > Because Atlassian gets money if they force us to buy Crowd.
...which, just maybe, might make up for all of the companies that don't buy JIRA period because of the lack of LDAP integration. We decided against JIRA for this very reason. We continue to monitor JIRA (obviously), and if this LDAP issue ever gets resolved we'll evaluated it again. Seems unfortunate to leave potential customers sitting that are ready to hand over their money for such a small and basic feature...
You absolutely right! After several years our company already paid for ent version, but we continue to monitor about LDAP integration... with no luck. Our paid period will over, but LDAP integration will stay at null, I think we don't buy JIRA anymore without this feature enabled. Hi folks,
I'm the Integration Product Manager at Atlassian. My responsibilities include Crowd and the effort to unify our user management stack. If you're not aware, Confluence and Bamboo use atlassian-user, FishEye and Crucible have their own stack, and JIRA uses OSUser. Crowd's LDAP stack is different again. This isn't a pretty situation, and it's one that we honestly don't relish either. I really hate the fact that some of you feel pushed to buy Crowd because JIRA's LDAP support sucks. We'd be much happier if you were buying Crowd because you need the ability to simplify your user management infrastructure, or because you want to integrate your custom apps with your Atlassian stack. The upshot is that we are going to put Crowd's LDAP stack into both JIRA and Confluence, and then into the rest of the products. This is a large amount of engineering, and in JIRA in particular, will affect a lot of the code. Much of the Crowd team will be helping out on this effort. The work will not be delivered in JIRA 4.0, but it will start as soon as 4.0 ships. Apologies for the wait, but we are working on this and we will deliver it. Before the bug is old enough to go to high school Cheers, Dave, thats really great news.
Please clarify, with this change, are you going to implement LDAP server failover, which is lacking accross the board in all products to date? Last time I looked Crowd still didn't support failover through federated ldap mirrors. This has pretty much been a reason for not using Crowd to date. Moving the Crowd LDAP stack to other products is great in terms of a common configuraiton, and I'm sure LDAP integration will be improved, or at least enable future improvement accross all produts. But, it would be a shame to go to all that effort and still not have such long-awaited features (ehm, possibly even fixing recursive group membership Is there any roadmap planning decribing the eventual features that this stack would provide? Cheers, Hi Andy,
There isn't a public roadmap yet, primarily because we don't want to commit to features we may not deliver. We've gotten ourselves into enough trouble as it is That said, we are looking at LDAP server failover for inclusion in Crowd, and when it makes it into Crowd it'll flow into JIRA. Crowd does recursive group memberships (or nested groups, or sub-groups, depending on your terminology). If you watch CWD-422 Cheers, This is exactly my point. We keep being told that proper LDAP integration is a lot of work and so it had to wait until a major release. We wait for 4.0 and features that aren't even requested get the priority.
Atlassian-user works fine for confluence and bamboo. Instead of implementing what we have asked for, we are again being told you can't promise anything because you are working on an all new library that 90% of users don't care about. You are spending too much time on new products and new features instead of servicing the ones you have. Hi Andres,
Implementing atlassian-user into JIRA would be significantly more work than putting in Crowd's LDAP stack. Crowd has a lot of caching work already in place that we'll need for JIRA & delivering an alternate stack wouldn't happen any faster. I can appreciate your frustration - in your place I'd probably be significantly less politic - but we are working on this and we will deliver it. Cheers, Imho it was not only a wrong priority setting to implement gadgets in 4.0 instead of LDAP integration.
I think it was a wrong policy by Atlassian which will cause loss of many customers. Gadgets affect the whole appearance of the system. This means all portlets have to be reimplemented. My company is paying me for improving our own products with help of Jira (and other tools). This means, even if LDAP will be integrated in 4.x, I will never get it! I'm quite sad about this. Bettina Zucker In our Confluence we use atlassian-user with custom LDAP authenticator , which uses Active Directory dynamic attribute to know users membership, this allows Confluence to see active directory hidden membership groups. Crowd does not see them. It was crucial for our installation, so the Crowd is not an option for some of customers.
Seriously folks - almost 6 years ago this request was submitted. You've already got this functionality in Confluence. How about showing Jira some love too?
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Improvement
Short Term Roadmap
Major
Migrate to Atlassian User (externalised LDAP management)
It's unfortunate that both osuser (Jira and Confluence) and atlassian-user (Confluence only) formats aren't capable of expressing fail-over ldap servers. If your DC goes off-line, despite having another 12 replicated instances you loose access. The same is true for CROWD....