Atlassian's Crowd identity management system can be integrated with Bamboo. This allows you to use Crowd as a user directory manager for Bamboo.

The integration process requires you to configure Crowd to talk to Bamboo, then configure Bamboo to talk to Crowd. Hence, the instructions below reference the Crowd documentation. Ensure that you are referring to the correct version of the Crowd documentation.

If you have JIRA 4.3 or later, you can also manage your users via JIRA. The process for connecting Bamboo to JIRA for user management is the same as the process for connecting Bamboo to Crowd for user management (described below).

Bamboo 3.2 should work with versions of Crowd from 2.1 onwards. We recommend Crowd 2.3 or later for performance reasons. Versions earlier than 2.1 are not supported.

On this page:

Related pages:

Step 1. Configuring Crowd to Talk to Bamboo

For instructions on how to configure Crowd to talk to Bamboo, please refer to the Integrating Crowd with Atlassian Bamboo for the latest version of Crowd, which can be found in the Crowd Administrator's Guide. If you are using an older version of Crowd, find the documentation from the Crowd documentation homepage.

Step 2. Configuring Bamboo to Talk to Crowd

  1. Click the  icon and select Bamboo admin.
  2. Select User Repositories (under 'Security').

  3. Choose Users and groups from JIRA or Crowd and configure the connection settings, as follows:

    Server URL

    Enter the URL of your Crowd server:

    If using Crowd 2.1 or older versions: http://localhost:8095/crowd/services/

    If using Crowd 2.2 or newer versions: http://localhost:8095/crowd/

    If your Crowd server's port is configured differently from the default (8095), set it accordingly.

    Application Name

    Enter the application name that you specified when configuring Crowd in Step 1 above.

    Application Password

    Select Change password and set the password that you specified when configuring Crowd in Step 1 above.

    Cache Refresh Interval

    Set to the number of minutes between requests to validate if the user is logged in or out of the Crowd SSO server. Setting this value to 1 or higher will increase the performance of Crowd's integration.

    While valid, setting this value to 0 will cause performance issues on large installations -  authentication checks will occur on each request. You can only set it to 0 directly in the xml configuration file.

    Synchronise now

    Click this link to synchronise users and groups from Crowd to Bamboo. Note, this operation may take a long time depending on the number of users that need to be synchronised.

  4. Click Save

2.1 Configure External User Management in Bamboo

If you are connecting Bamboo to an external user management system and do not have rights to update user attributes there, you will need to prevent users from being updated in Bamboo. In this case, you should ensure that the Read-only External User Management? check-box is checked. For example, if Crowd directory permissions don't allow any remote changes, then Bamboo will give an error message if an attempt is made to change user account settings. We are tracking this bug: BAM-12002 - Getting issue details... STATUS .

To configure the external user management option in Bamboo:

  1. Navigate to Administration > Security Settings.
  2. Click Edit.

  3. Select the Read-only External User Management? checkbox. The table below outlines the correct configuration for Bamboo, depending on your external user management setup:

    External User Management Setup

    Read-only External User Management? check-box

    Bamboo integrated with — Crowd using the Crowd database (i.e. Internal Directories)

    Unchecked

    Bamboo integrated with — Crowd connected to a read-only LDAP

    Checked

    Bamboo integrated with — Crowd connected to a read-write LDAP

    Unchecked

    Bamboo integrated with — Crowd with authentication-only delegated to LDAP.

    Unchecked

  4. Click Save.

2.2 (Optional) Enable Single Sign-On

Single sign-on (SSO) is optional when integrating Bamboo and other Atlassian products with Crowd. To use centralised authentication without SSO, skip the steps below.

To enable single sign-on (SSO), you will configure Bamboo's authentication and access request calls to use Seraph. To configure Seraph-based authentication:

  1. Shut down Bamboo.
  2. Edit the \BAMBOO\atlassian-bamboo\WEB-INF\classes\seraph-config.xml

  3. Comment out the authenticatornode:

    <!--<authenticator class="com.atlassian.bamboo.user.authentication.BambooAuthenticator"/>-->

  4. Add a new authenticator, by adding the following tag:

    <authenticator class="com.atlassian.crowd.integration.seraph.v25.BambooAuthenticator"/>
  5. Start Bamboo. Bamboo's authentication and access request calls will now be performed using Seraph.

Notes

  • Test times for synchronising Bamboo-Crowd — As a guideline, we were able to synchronise 5000 users in six seconds in our internal tests using Crowd 2.3.1. Older versions of Crowd took three minutes to complete the same task.
  • If you want to configure the Bamboo-Crowd connection settings manually (e.g. to change the proxy settings), you can find the crowd.properties and atlassian-user.xml files in the $BAMBOO_HOME/xml-data/configuration/ directory.

8 Comments

  1. Stefan Reuter

    It seems the authenticator class "com.atlassian.crowd.integration.seraph.v22.BambooAuthenticator" referenced in step 2.2 is no longer part of Bamboo 3.2.

  2. Anonymous

    Couldn't get all this to work when integrating with Jira, but found this useful: Connecting to Crowd or Jira for User Management (especially the section entitled "Connecting Confluence to JIRA for User Management")

    1. Anonymous

      +1.  Those instructions worked perfectly for using JIRA as the central user repo.  Thanks.

      Please fix these docs.

  3. Óskar Friðrik

    It looks like that Bamboo has only one user repository, either local or remote. What happens if you have configured a remote user repository, say JIRA, and it fails. Is there no way to log in again unless JIRA is fixed? Or can you still use local users after you configure the remote repository? Haven't found anything about this.

    The reason I ask is that you are required to have the bamboo-admin group with a user, in the remote repository to be able to change to remote. 

    1. ArmenA

      Oskar,

      Yes, you can switch back to local users by reverting the atlassian-user.xml back to its original content:

      <atlassian-user>
    <repositories>
        <hibernate name="Hibernate Repository" key="hibernateRepository" description="Hibernate Repository" cache="true"/>
    </repositories>
</atlassian-user>

      This will allow the local users to log in. In case you don't remember the local admin credentials, refer to this page for resetting the admin password.

      By the way, you can use either local or remote user repositories (whichever is configured in the atlassian-user.xml), but not both at the same time. For more information about Crowd side configurations, please refer to this page: Integrating Crowd with Atlassian Bamboo.

      Cheers,

      Armen

      1. Óskar Friðrik

        Thanks for the quick and detailed answer.

         

        Cheers,
        Óskar Friðrik

  4. Chris

    Just wanting to clarify something.  We have Bamboo linked to JIRA for authorization and JIRA is setup to to use our corporate LDAP directory servers.  When we edit a user in Bamboo Administration and do a change password it results in a stack trace (only put a couple parts of it below) because bamboo/JIRA do not have authority to update LDAP.  Am I correctly understanding that if we want to update the local users in any way we need to disable (or break) the connection to JIRA to force the use of the local authentication?

     

    Version: 4.4.4  Build: 3506  Build Date: 28 Feb 2013

    URI: /admin/user/updateUser.action

    Stack Trace:

    java.lang.IllegalArgumentException: Could not alter password for user xxxxxx
	at com.atlassian.bamboo.user.BambooUserManagerImpl.cannotAlterPassword(BambooUserManagerImpl.java:285)
	at com.atlassian.bamboo.user.BambooUserManagerImpl.saveUser(BambooUserManagerImpl.java:249)

    .......

    Caused by: com.atlassian.crowd.exception.OperationFailedException: Passwords are stored in LDAP and are read-only for delegated authentication directory

    1. ArmenA

      Hi Chris,

      Am I correctly understanding that if we want to update the local users in any way we need to disable (or break) the connection to JIRA to force the use of the local authentication?

      Currently you have Bamboo connecting to JIRA for user authentication, and you cannot use any of your local user accounts. If you connected Bamboo to LDAP directly, you would  be able to use your local Bamboo accounts at the same time with LDAP accounts (you have to make sure that there are no duplicates). This would also allow you to edit local user accounts (you still wouldn't be able to edit LDAP accounts from Bamboo).

      Armen