External user directories

Administering Bitbucket Server

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

You can connect Bitbucket Server to external user directories. This allows you to use existing users and groups stored in an enterprise directory, and to manage those users and groups in one place.

User management functions include:

  • Authentication: determining which user identity is sending a request to Bitbucket Server.
  • Authorization: determining the access privileges for an authenticated user.
  • User management: maintaining profile information in user's accounts.
  • Group membership: storing and retrieving groups, and group membership.

It is important to understand that these are separate components of a user management system. You could use an external directory for any or all of the above tasks.

There are several approaches to consider when using external user directories wth Bitbucket Server, described briefly below:

  • Bitbucket Server provides a "read-only" connection to external directories for user management. This means that users and groups, fetched from any external directory, can only be modified or updated in the external directory itself, rather than in Bitbucket Server.
  • Connecting Atlassian Bitbucket Server to your external directory is not sufficient to allow your users to log in to Bitbucket Server. You must explicitly grant them access to Bitbucket Server in the global permission screen.
  • We recommend that you use groups instead of individual accounts when granting permissions. However, be careful not to add more users to those groups that your Bitbucket Server license allows. If the license limit is exceeded, your developers will not be able to push commits to repositories, and Bitbucket Server will display a warning banner. See this FAQ.
  • Bitbucket Server comes with an internal user directory, already built-in, that is enabled by default at installation. When you create the first administrator during the setup procedure, that administrator's username and other details are stored in the internal directory.
  • See also this information about deleting users and groups in Bitbucket Server.

LDAP

You should consider connecting to an LDAP directory server if your users and groups are stored in an enterprise directory.

There are two common ways of using an external LDAP directory with Bitbucket Server:

Bitbucket Server is able to connect to the following LDAP directory servers:

  • Microsoft Active Directory
  • Apache Directory Server (ApacheDS) 1.0.x and 1.5.x
  • Apple Open Directory (Read-Only)
  • Fedora Directory Server (Read-Only Posix Schema)
  • Novell eDirectory Server
  • OpenDS
  • OpenLDAP
  • OpenLDAP (Read-Only Posix Schema)
  • Generic Posix/RFC2307 Directory (Read-Only)
  • Sun Directory Server Enterprise Edition (DSEE)
  • Any generic LDAP directory server

Jira applications

You can delegate Bitbucket Server user and group management, as well as user authentication, to a Jira application. This is a good option if you already use a Jira application in your organization. Note that Bitbucket Server can only connect to a Jira application server running Jira 4.3 or later.

You should consider using Atlassian Crowd for more complex configurations with a large number of users. 

See Connecting Bitbucket Server to Jira for user management for configuration instructions.

Crowd

You can connect Bitbucket Server to Atlassian Crowd for user and group management, as well as for user authentication.

Crowd is an application security framework that handles authentication and authorization for your web-based applications. With Crowd you can integrate multiple web applications with multiple user directories, with support for single sign-on (SSO) and centralized identity management. See the Crowd Administration Guide.

You should consider connecting to Crowd if you want to use Crowd to manage existing users and groups in multiple directory types, or if you have users of other web-based applications.

See Connecting Bitbucket Server to Crowd for configuration instructions.

Multiple directories

When Bitbucket Server is connected directly to multiple user directories, where duplicate user names and group names are used across those directories, the effective group memberships that Bitbucket Server uses for authorization can be determined using either of these two schemes: 

  • 'aggregating membership'
  • 'non-aggregating membership'. 

See Effective memberships with multiple directories for more information about these two schemes.

Note that:

  • Aggregating membership is used by default for new installations of Bitbucket Server.
  • Authentication, for when Bitbucket Server is connected to multiple directories, only depends on the mapped groups in those directories – the aggregation scheme is not involved at all.
  • For inactive users, Bitbucket Server only checks if the user is active in the first (highest priority) directory in which they are found for the purpose of determining authentication. Whether a user is active or inactive does not affect how their memberships are determined.
  • When a user is added to a group, they are only added to the first writeable directory available, in priority order.
  • When a user is removed from a group, they are only removed from the group in the first directory the user appears in, when non-aggregating membership is used. With aggregating membership, they are removed from the group in all directories the user exists in.

A Bitbucket Server admin can change the membership scheme used by Bitbucket Server using the following commands:

  • To change to aggregating membership, substitute your own values for <username><password> and <base-url> in this command:

    curl -H 'Content-type: application/json' -X PUT -d '{"membershipAggregationEnabled":true}' -u <username>:<password> <base-url>/rest/crowd/latest/application 
  • To change to non-aggregating membership, substitute your own values for <username><password> and <base-url> in this command:

    curl -H 'Content-type: application/json' -X PUT -d '{"membershipAggregationEnabled":false}' -u <username>:<password> <base-url>/rest/crowd/latest/application 

Note that these operations are different from how you make these changes in Crowd. Note also that changing the aggregation scheme can affect the authorization permissions for your Bitbucket Server users, and how directory update operations are performed. 

Last modified on Oct 13, 2020

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.