Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
3
-
Description
Problem summary
Currently a user directory can only be configured to accept one base DN for users, and one base DN for users. If users or groups (that are relevant to JIRA) exist in multiple containers/OUs of the LDAP structure, then the base DN has to be set wide enough so that both OUs are in the scope of the search. This can cause too many irrelevant groups to be pulled into JIRA, which in turn leads to performance issues or complexity in maintaining user management. Also if you'd like to assume memberships from a different OU, it's nearly impossible with AD.
Example
For example: consider the case where we have the following LDAP structure, for simplicity's sake we're only looking for groups right now and not users:
DC=company,DC=com
+--- OU=all_groups
+--- OU=amer_groups
+--- OU=apac_groups
+--- OU=50k_other_irrelevant_groups
If we want to pull in the groups under amer_groups and apac_groups, then the group base DN must be set to "OU=all_groups,DC=company,DC=com" since both of of them are under that common OU.
The problem is, doing so will also pull the other 50k groups we don't care about into JIRA, because that's also within the search scope. For some LDAP implementations, this is not a problem because you can exclude those irrelevant groups by using Extensible Matching in a search filter to target groups that are within specific OUs. However some LDAP implementations, most notably Microsoft Active Directory, do not support this type of filtering, and therefore JIRA will have no choice but to pull in all of the groups.
And you can't add another connector to the same directory as Jira will only sync memberships of the directory that is in the highest order.
Proposed solution
It would be ideal if JIRA itself can allow a single directory to search for users/groups from multiple DNs, regardless of the AD/LDAP implementation.