Delegate authentication to an LDAP directory
You can configure Bitbucket Data Center and Server to use an LDAP directory for delegated user authentication while still using Bitbucket for user and group management.
You can either create new user accounts manually in the LDAP directory or use the option to automatically create a user account when the user attempts to log in, as described in the Copy users on login section below.
See also this information about deleting users and groups in Bitbucket.
To connect Bitbucket to an LDAP directory for delegated authentication:
- Log in to Bitbucket as a user with 'Admin' permission.
- Go to the Bitbucket administration area and click User Directories (under 'Accounts').
- Click Add Directory and select Internal with LDAP Authentication as the directory type.
- Configure the directory settings, as described in the tables below.
- Save the directory settings.
- Define the directory order by clicking the arrows for each directory on the 'User Directories' screen. The directory order has the following effects:
- The order of the directories is the order in which they will be searched for users and groups.
- Changes to users and groups will be made only in the first directory where the application has permission to make changes.
Connecting Atlassian Bitbucket to your external directory is not sufficient to allow your users to log in. You must explicitly grant them access to Bitbucket in the global permission screen.
We recommend that you use groups instead of individual accounts when granting permissions. However, be careful not to add more users to those groups that your Bitbucket license allows. If the license limit is exceeded, your developers will not be able to push commits to repositories, and Bitbucket will display a warning banner. See this FAQ.
On this page:
Server settings
Setting | Description |
---|---|
Name | A descriptive name that will help you to identify the directory. Examples:
|
Directory Type | Select the type of LDAP directory that you will connect to. If you are adding a new LDAP connection, the value you select here will determine the default values for some of the options on the rest of screen. Examples:
|
Hostname | The host name of your directory server. Examples:
|
Port | The port on which your directory server is listening. Examples:
|
Use SSL | Check this box if the connection to the directory server is an SSL (Secure Sockets Layer) connection. Note that you will need to configure an SSL certificate in order to use this setting. |
Username | The distinguished name of the user that the application will use when connecting to the directory server. Examples:
|
Password | The password of the user specified above. |
Manually creating users
Move the delegated authentication directory to the top of the User Directories list and create the user manually (go to Administration > Users > Create user). Using this manual method you must currently create a temporary password when creating users. There is an improvement request to address this: STASH-3424 - Getting issue details... STATUS
If you intend to change the authentication directory of your users from Bitbucket Server Internal Directory
to Delegated LDAP Authentication
you must select the option to "Copy User on Login" since you can't create a new user that has the same username as another user in another directory.
Copying users on login
The settings described in the table below relate to when a user attempts to authenticate with Bitbucket. This authentication attempt can occur either:
- when using the Bitbucket login screen.
- when issuing a Git clone or push command at the command line, for a repository managed by Bitbucket.
Setting | Description |
---|---|
Copy User on Login | This option affects what will happen when a user attempts to log in. If this box is checked, the user will be created automatically in the internal directory that is using LDAP for authentication when the user first logs in and their details will be synchronized on each subsequent log in. If this box is not checked, the user's login will fail if the user wasn't already manually created in the directory.
|
Update User attributes on Login | Whenever your users authenticate to the application, their attributes will be automatically updated from the LDAP server into the application. After you select this option, you won't be able to modify or delete your users directly in the application.
|
Default Group Memberships | This field appears if you check the Copy User on Login box. If you would like users to be automatically added to a group or groups, enter the group name(s) here. To specify more than one group, separate the group names with commas. Each time a user logs in, their group memberships will be checked. If the user does not belong to the specified group(s), their username will be added to the group(s). If a group does not yet exist, it will be added to the internal directory that is using LDAP for authentication.
|
Synchronize Group Memberships | This field appears if you select the Copy User on Login checkbox. If this box is checked, group memberships specified on your LDAP server will be synchronized with the internal directory each time the user logs in.
|
LDAP schema
Setting |
Description |
---|---|
Base DN |
The root distinguished name (DN) to use when running queries against the directory server. Examples:
|
User Name Attribute |
The attribute field to use when loading the username. Examples:
|
Advanced settings
Setting | Description |
---|---|
Enable Nested Groups | Enable or disable support for nested groups. Some directory servers allow you to define a group as a member of another group. Groups in such a structure are called nested groups. Nested groups simplify permissions by allowing sub-groups to inherit permissions from a parent group. |
Use Paged Results | Enable or disable the use of the LDAP control extension for simple paging of search results. If paging is enabled, the search will retrieve sets of data rather than all of the search results at once. Enter the desired page size – that is, the maximum number of search results to be returned per page when paged results are enabled. The default is 1000 results. |
Follow Referrals | Choose whether to allow the directory server to redirect requests to other servers. This option uses the node referral (JNDI lookup |
User schema settings
Note: this section is only visible when Copy User on Login is enabled.
Setting |
Description |
---|---|
Additional User DN |
This value is used in addition to the base DN when searching and loading users. If no value is supplied, the subtree search will start from the base DN. Example:
|
User Object Class |
This is the name of the class used for the LDAP user object. Example:
|
User Object Filter |
The filter to use when searching user objects. Example:
|
User Name RDN Attribute |
The RDN (relative distinguished name) to use when loading the username. The DN for each LDAP entry is composed of two parts: the RDN and the location within the LDAP directory where the record resides. The RDN is the portion of your DN that is not related to the directory tree structure. Example:
|
User First Name Attribute |
The attribute field to use when loading the user's first name. Example:
|
User Last Name Attribute |
The attribute field to use when loading the user's last name. Example:
|
User Display Name Attribute |
The attribute field to use when loading the user's full name. Example:
|
User Email Attribute |
The attribute field to use when loading the user's email address. Example:
|
Group schema settings
Note: this section is only visible when both Copy User on Login and Synchronize Group Memberships are enabled.
Setting |
Description |
---|---|
Additional Group DN |
This value is used in addition to the base DN when searching and loading groups. If no value is supplied, the subtree search will start from the base DN. Example:
|
Group Object Class |
This is the name of the class used for the LDAP group object. Examples:
|
Group Object Filter |
The filter to use when searching group objects. Example:
|
Group Name Attribute |
The attribute field to use when loading the group's name. Example:
|
Group Description Attribute |
The attribute field to use when loading the group's description. Example:
|
Membership schema settings
Note: this section is only visible when both Copy User on Login and Synchronize Group Memberships are enabled.
Setting | Description |
---|---|
Group Members Attribute | The attribute field to use when loading the group's members. Example:
|
User Membership Attribute | The attribute field to use when loading the user's groups. Example:
|
Use the User Membership Attribute, when finding the user's group membership | Check this box if your directory server supports the group membership attribute on the user. (By default, this is the 'memberOf' attribute.)
|