Managing Multiple Directories

This page describes what happens when you have defined more than one user directory in JIRA. For example, you may have an internal directory and you may also connect to an LDAP directory server and/or other types of user directories. When you connect to a new directory server, you also need to define the directory order.

Avoid duplicate usernames across directories. If you are connecting to more than one user directory, we recommend that you ensure the usernames are unique to one directory. For example, we do not recommend that you have a user jsmith in both 'Directory1' and 'Directory2'. The reason is the potential for confusion, especially if you swap the order of the directories. Changing the directory order can change the user that a given username refers to.

Here is a summary of how the directory order affects the processing:

  • The order of the directories is the order in which they will be searched for users and groups.
  • Changes to users and groups will be made only in the first directory where the application has permission to make changes.

On this page:

Configuring the Directory Order

You can change the order of your directories as defined to JIRA. Select 'User Directories' from the JIRA administration menu and click the blue up- and down-arrows next to each directory.

Notes:

  • Please read the rest of this page to understand what effect the directory order will have on authentication (login) and permissions in JIRA, and what happens when you update users and groups in JIRA.

Effect of Directory Order

This section summarises the effect the order of the directories will have on login and permissions, and on the updating of users and groups.

Login

The directory order is significant during the authentication of the user, in cases where the same user exists in multiple directories. When a user attempts to log in, the application will search the directories in the order specified, and will use the credentials (password) of the first occurrence of the user to validate the login attempt.

Permissions

The directory order is significant when granting the user permissions based on group membership. If the same username exists in more than one directory, the application will look for group membership only in the first directory where the username appears, based on the directory order.

Example:

  • You have connected two directories: The Customers directory and the Partners directory.
  • The Customers directory is first in the directory order.
  • A username jsmith exists in both the Customers directory and the Partners directory.
  • The user jsmith is a member of group G1 in the Customers directory and group G2 in the Partners directory.
  • The user jsmith will have permissions based on membership of G1 only, not G2.

Updating Users and groups

If you update a user or group via the application's administration screens, the update will be made in the first directory where the application has write permissions.

Example 1:

  • You have connected two directories: The Customers directory and the Partners directory.
  • The application has permission to update both directories.
  • The Customers directory is first in the directory order.
  • A username jsmith exists in both the Customers directory and the Partners directory.
  • You update the email address of user jsmith via the application's administration screens.
  • The email address will be updated in the Customers directory only, not the Partners directory.

Example 2:

  • You have connected two directories: A read/write LDAP directory and the internal directory.
  • The LDAP directory is first in the directory order.
  • All new users will be added to the LDAP directory. It is not possible to add a new user to the internal directory.

RELATED TOPICS

Configuring User Directories

Was this helpful?

Thanks for your feedback!

3 Archived comments

  1. User avatar

    Anonymous

    In witch file JIRA write this information? Before JIRA wrote in osuser.xml.

    04 Aug 2011
    1. User avatar

      Bhushan Nagaraj

      Can we delete an existing directory and add a new configuration?

      15 May 2012
  2. User avatar

    Amstergroup

    i've done some tests and the statement on login is false for me.

    even if there is 10 directory defined, if one user is "binded" to one of them during creation, the password is only checked against this directory. and other are not even queried.

    tcpdump prove that.

    11 Dec 2013
Powered by Confluence and Scroll Viewport