[CWD-4134] Support FreeIPA Roles/Permissions/Privileges

Type: Suggestion
Resolution: Unresolved
Fix Version/s: None
Component/s: Directory - LDAP
Labels:
None

Feedback Policy:

Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

FreeIPA 3.x is a very powerful replacement for MS AD. As it turns out, it also contains a full RBAC system that has host-based differentiation capabilities.

Imagine: Individual permissions allow very granular mapping to actual functions in the Atlassian stack. Traditional Atlassian roles such as jira-administrator allow a smooth migration path for existing users. Privileges are created to map these permissions to roles. Add hosts to the mix, and roles can be differentiated by server such that the jira-administrator role can be the same everywhere, but with only certain users available to exercise a role per host.

FreeIPA does all this out of the box.

Crowd is great, but FreeIPA has slowly improved to where Crowd was originally going to go. FreeIPA is incredibly detailed, maybe too detailed for the beginner user. As it's turned out, they compliment each other quite remarkably! Supporting both Crowd and FreeIPA will make the Atlassian stack incredibly valuable.

mentioned in: LDAP Groups are not being populated with users using FreeIPA; Page No Confluence page found with the given URL.; Page No Confluence page found with the given URL.; Page No Confluence page found with the given URL.

Franz Geffke added a comment - 17/Jun/2018 3:26 PM

I've also had issues with this but eventually configured it trough trial and error in the Crowd UI. I have posted my settings here.

Franz Geffke added a comment - 17/Jun/2018 3:26 PM I've also had issues with this but eventually configured it trough trial and error in the Crowd UI. I have posted my settings here .

Andrew Meyer added a comment - 19/Oct/2017 10:58 PM

I am trying to migrate from OpenLDAP to FreeIPA. I am not able to have JIRA communicate w/ FreeIPA. I get connection error 49.

// code placeholder

Connection test failed. Response from the server: [LDAP: error code 49 - Invalid Credentials]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] For more information regarding LDAP error codes see Troubleshooting LDAP Error Codes.

Andrew Meyer added a comment - 19/Oct/2017 10:58 PM I am trying to migrate from OpenLDAP to FreeIPA. I am not able to have JIRA communicate w/ FreeIPA. I get connection error 49. // code placeholder Connection test failed. Response from the server: [LDAP: error code 49 - Invalid Credentials] ; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials] For more information regarding LDAP error codes see Troubleshooting LDAP Error Codes.

Christopher Lamb added a comment - 29/Jun/2015 3:32 PM

I agree, native support for FreeIPA would be super, and sensible as FreeIPA is an obvious LDAP solution for anyone running Enterprise Linux (RHEL, OEL, CENTOS et al).

It is however possible to integrate FreeIPA to JIRA (and probably to other Atlassian products). However it took us several attempts, and some head-scratching to get a working solution. As always the devil is in the details, but it is easy once you know how.

Note there are probably other solutions that work as well, but this is the one that works for us.

Key points:
a) Integration Style: "Internal Directory with LDAP Authentication" --> only those users that attempt to login are replicated, useful if your JIRA users are a subset of your FreeIPA users.
b) LDAP Type = Generic LDAP --> JIRA does not yet have native FreeIPA Support.
c) bind = via user / password --> we first tried anonymous bind (w/o user). While this replicated users and logins worked, the all important mail attribute was not replicated (and without working e-mail notification Jira is as useful as a chocolate tee-pot.)
d) as the password of the bind user is stored in plaintext in the jira db, make sure this is a limited user (member of the default ipa-users group is sufficient). e.g. don't use the Directory Manager user!
e) ldap.user.filter=(objectclass=inetorgperson) ensures that replies DO NOT come from the compat tree (no mail attribute). We want replies from cn=users,cn=accounts, which does have the mail attribute. (FreeIPA can provide users from 2 trees, the "compat" tree and the native users accounts tree).

Below is the config direct from the Jira database (of course we made the config changes via the Jira admin GUI, which has a nifty Test function).

mysql> select attribute_name, attribute_value from cwd_directory_attribute where directory_id = 10001;
attribute_name
attribute_value
autoAddGroups jira-users
crowd.delegated.directory.auto.create.user true
crowd.delegated.directory.auto.update.user true
crowd.delegated.directory.importGroups false
crowd.delegated.directory.type com.atlassian.crowd.directory.GenericLDAP
ldap.basedn dc=my,dc=silly,dc=example,dc=com
ldap.external.id uid
ldap.group.description description
ldap.group.dn
ldap.group.filter (objectclass=groupOfUniqueNames)
ldap.group.name cn
ldap.group.objectclass groupOfUniqueNames
ldap.group.usernames uniqueMember
ldap.nestedgroups.disabled true
ldap.pagedresults false
ldap.pagedresults.size 1000
ldap.password xxxxxxxxx
ldap.referral false
ldap.url ldap://xxx-ldap.my.silly.example.com:389
ldap.user.displayname displayName
ldap.user.dn cn=accounts
ldap.user.email mail
ldap.user.filter (objectclass=inetorgperson)
ldap.user.firstname givenName
ldap.user.group memberOf
ldap.user.lastname sn
ldap.user.objectclass inetorgperson
ldap.user.username uid
ldap.user.username.rdn cn
ldap.userdn uid=yyyy,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com
ldap.usermembership.use false
ldap.usermembership.use.for.groups false

Christopher Lamb added a comment - 29/Jun/2015 3:32 PM I agree, native support for FreeIPA would be super, and sensible as FreeIPA is an obvious LDAP solution for anyone running Enterprise Linux (RHEL, OEL, CENTOS et al). It is however possible to integrate FreeIPA to JIRA (and probably to other Atlassian products). However it took us several attempts, and some head-scratching to get a working solution. As always the devil is in the details, but it is easy once you know how. Note there are probably other solutions that work as well, but this is the one that works for us. Key points: a) Integration Style: "Internal Directory with LDAP Authentication" --> only those users that attempt to login are replicated, useful if your JIRA users are a subset of your FreeIPA users. b) LDAP Type = Generic LDAP --> JIRA does not yet have native FreeIPA Support. c) bind = via user / password --> we first tried anonymous bind (w/o user). While this replicated users and logins worked, the all important mail attribute was not replicated (and without working e-mail notification Jira is as useful as a chocolate tee-pot.) d) as the password of the bind user is stored in plaintext in the jira db, make sure this is a limited user (member of the default ipa-users group is sufficient). e.g. don't use the Directory Manager user! e) ldap.user.filter=(objectclass=inetorgperson) ensures that replies DO NOT come from the compat tree (no mail attribute). We want replies from cn=users,cn=accounts, which does have the mail attribute. (FreeIPA can provide users from 2 trees, the "compat" tree and the native users accounts tree). Below is the config direct from the Jira database (of course we made the config changes via the Jira admin GUI, which has a nifty Test function). mysql> select attribute_name, attribute_value from cwd_directory_attribute where directory_id = 10001; attribute_name attribute_value autoAddGroups jira-users crowd.delegated.directory.auto.create.user true crowd.delegated.directory.auto.update.user true crowd.delegated.directory.importGroups false crowd.delegated.directory.type com.atlassian.crowd.directory.GenericLDAP ldap.basedn dc=my,dc=silly,dc=example,dc=com ldap.external.id uid ldap.group.description description ldap.group.dn ldap.group.filter (objectclass=groupOfUniqueNames) ldap.group.name cn ldap.group.objectclass groupOfUniqueNames ldap.group.usernames uniqueMember ldap.nestedgroups.disabled true ldap.pagedresults false ldap.pagedresults.size 1000 ldap.password xxxxxxxxx ldap.referral false ldap.url ldap://xxx-ldap.my.silly.example.com:389 ldap.user.displayname displayName ldap.user.dn cn=accounts ldap.user.email mail ldap.user.filter (objectclass=inetorgperson) ldap.user.firstname givenName ldap.user.group memberOf ldap.user.lastname sn ldap.user.objectclass inetorgperson ldap.user.username uid ldap.user.username.rdn cn ldap.userdn uid=yyyy,cn=users,cn=accounts,dc=my,dc=silly,dc=example,dc=com ldap.usermembership.use false ldap.usermembership.use.for.groups false

Mira Hedl added a comment - 14/Apr/2015 8:18 PM

+1

Mira Hedl added a comment - 14/Apr/2015 8:18 PM +1

sysadmin added a comment - 12/Mar/2015 4:12 PM

+1

sysadmin added a comment - 12/Mar/2015 4:12 PM +1

Jerald Sussman added a comment - 26/Feb/2015 7:50 PM

+1

Jerald Sussman added a comment - 26/Feb/2015 7:50 PM +1

Crowd Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: Franz Geffke added a comment - 17/Jun/2018 3:26 PM

Expand comment: Franz Geffke added a comment - 17/Jun/2018 3:26 PM

Collapse comment: Andrew Meyer added a comment - 19/Oct/2017 10:58 PM

Expand comment: Andrew Meyer added a comment - 19/Oct/2017 10:58 PM

Collapse comment: Christopher Lamb added a comment - 29/Jun/2015 3:32 PM

Expand comment: Christopher Lamb added a comment - 29/Jun/2015 3:32 PM

Collapse comment: Mira Hedl added a comment - 14/Apr/2015 8:18 PM

Expand comment: Mira Hedl added a comment - 14/Apr/2015 8:18 PM

Collapse comment: sysadmin added a comment - 12/Mar/2015 4:12 PM

Expand comment: sysadmin added a comment - 12/Mar/2015 4:12 PM

Collapse comment: Jerald Sussman added a comment - 26/Feb/2015 7:50 PM

Expand comment: Jerald Sussman added a comment - 26/Feb/2015 7:50 PM

People

Dates

Time Tracking