[Other doc versions]
[Doc downloads (PDF, HTML, XML)]
You can configure Stash to use an LDAP directory for delegated user authentication while still using Stash for user and group management.
You can either create new user accounts manually in the LDAP directory, or use the option to automatically create a user account when the user attempts to log in, as described in the Copy users on login section below.
See also this information about deleting users and groups in Stash.
To connect Stash to an LDAP directory for delegated authentication:
Connecting Atlassian Stash to your external directory is not sufficient to allow your users to log in to Stash. You must explicitly grant them access to Stash in the global permission screen.
We recommend that you use groups instead of individual accounts when granting permissions. However, be careful not to add more users to those groups that your Stash license allows. If the license limit is exceeded, your developers will not be able to push commits to repositories, and Stash will display a warning banner. See this FAQ.
On this page:
Setting | Description |
---|---|
Name | A descriptive name that will help you to identify the directory. Examples:
|
Directory Type | Select the type of LDAP directory that you will connect to. If you are adding a new LDAP connection, the value you select here will determine the default values for some of the options on the rest of screen. Examples:
|
Hostname | The host name of your directory server. Examples:
|
Port | The port on which your directory server is listening. Examples:
|
Use SSL | Check this box if the connection to the directory server is an SSL (Secure Sockets Layer) connection. Note that you will need to configure an SSL certificate in order to use this setting. |
Username | The distinguished name of the user that the application will use when connecting to the directory server. Examples:
|
Password | The password of the user specified above. |
Move the delegated authentication directory to the top of the User Directories list and create the user manually (go to Administration > Users > Create user). Using this manual method you must currently create a temporary password when creating users. There is an improvement request to address this: STASH-3424 - Getting issue details... STATUS
If you intend to change the authentication directory of your users from Stash Internal Directory
to Delegated LDAP Authentication
you must select the option to "Copy User on Login" since you can't create a new user that has the same username as another user in another directory.
The settings described in the table below relate to when a user attempts to authenticate with Stash. This authentication attempt can occur either:
Setting | Description |
---|---|
Copy User on Login | This option affects what will happen when a user attempts to log in. If this box is checked, the user will be created automatically in the internal directory that is using LDAP for authentication when the user first logs in and their details will be synchronized on each subsequent log in. If this box is not checked, the user's login will fail if the user wasn't already manually created in the directory.
|
Update User attributes on Login | Whenever your users authenticate to the application, their attributes will be automatically updated from the LDAP server into the application. After you select this option, you won't be able to modify or delete your users directly in the application.
|
Default Group Memberships | This field appears if you check the Copy User on Login box. If you would like users to be automatically added to a group or groups, enter the group name(s) here. To specify more than one group, separate the group names with commas. Each time a user logs in, their group memberships will be checked. If the user does not belong to the specified group(s), their username will be added to the group(s). If a group does not yet exist, it will be added to the internal directory that is using LDAP for authentication.
|
Synchronize Group Memberships | This field appears if you select the Copy User on Login checkbox. If this box is checked, group memberships specified on your LDAP server will be synchronized with the internal directory each time the user logs in.
|
Setting |
Description |
---|---|
Base DN |
The root distinguished name (DN) to use when running queries against the directory server. Examples:
|
User Name Attribute |
The attribute field to use when loading the username. Examples:
|
Setting | Description |
---|---|
Enable Nested Groups | Enable or disable support for nested groups. Some directory servers allow you to define a group as a member of another group. Groups in such a structure are called nested groups. Nested groups simplify permissions by allowing sub-groups to inherit permissions from a parent group. |
Use Paged Results | Enable or disable the use of the LDAP control extension for simple paging of search results. If paging is enabled, the search will retrieve sets of data rather than all of the search results at once. Enter the desired page size – that is, the maximum number of search results to be returned per page when paged results are enabled. The default is 1000 results. |
Follow Referrals | Choose whether to allow the directory server to redirect requests to other servers. This option uses the node referral (JNDI lookup |
Note: this section is only visible when Copy User on Login is enabled.
Setting |
Description |
---|---|
Additional User DN |
This value is used in addition to the base DN when searching and loading users. If no value is supplied, the subtree search will start from the base DN. Example:
|
User Object Class |
This is the name of the class used for the LDAP user object. Example:
|
User Object Filter |
The filter to use when searching user objects. Example:
|
User Name RDN Attribute |
The RDN (relative distinguished name) to use when loading the username. The DN for each LDAP entry is composed of two parts: the RDN and the location within the LDAP directory where the record resides. The RDN is the portion of your DN that is not related to the directory tree structure. Example:
|
User First Name Attribute |
The attribute field to use when loading the user's first name. Example:
|
User Last Name Attribute |
The attribute field to use when loading the user's last name. Example:
|
User Display Name Attribute |
The attribute field to use when loading the user's full name. Example:
|
User Email Attribute |
The attribute field to use when loading the user's email address. Example:
|
Note: this section is only visible when both Copy User on Login and Synchronise Group Memberships are enabled.
Setting |
Description |
---|---|
Additional Group DN |
This value is used in addition to the base DN when searching and loading groups. If no value is supplied, the subtree search will start from the base DN. Example:
|
Group Object Class |
This is the name of the class used for the LDAP group object. Examples:
|
Group Object Filter |
The filter to use when searching group objects. Example:
|
Group Name Attribute |
The attribute field to use when loading the group's name. Example:
|
Group Description Attribute |
The attribute field to use when loading the group's description. Example:
|
Note: this section is only visible when both Copy User on Login and Synchronise Group Memberships are enabled.
Setting | Description |
---|---|
Group Members Attribute | The attribute field to use when loading the group's members. Example:
|
User Membership Attribute | The attribute field to use when loading the user's groups. Example:
|
Use the User Membership Attribute, when finding the user's group membership | Check this box if your directory server supports the group membership attribute on the user. (By default, this is the 'memberOf' attribute.)
|