Differences between Connector and Delegated LDAP directories in Jira server
In summary:
- Delegated User Directory is read-only, and does not have the option to make a read/write connection to LDAP like a Connector can
- Delegated User Directory retrieves user information only during the authentication process (during which time that single user's information is updated), whereas the Connector retrieves user information during the proactive synchronization process that reaches out to the external user repository on a regular interval
- Delegated User Directory retrieves groups and group membership during the authentication process, Connector synchronizes groups and group memberships during automatic synchronization process.
Side-by-Side comparison:
DELEGATED | CONNECTOR | |
---|---|---|
Overview | Also known as "Internal Directory with LDAP Authentication". As the name implies, you can think of this type of directory as an Internal Directory, but when it comes to authenticating users, Jira will reach out to LDAP for the verification of the user's inputted credentials. Like an Internal Directory, an administrator can add/remove/update users locally via the Jira UI. The directory type also offers some options to assist the admin:
The important thing to note is that all of these options are based on user authentication and on a per-user basis only. This means that users will not exist in Jira until an admin manually creates them, or if they are auto-created upon successful authentication (with the option to do so configured). It also means that any users that are removed/disabled from the LDAP side will never be automatically removed/disabled in Jira, since the user cannot log in at that point to trigger changes to that account. | The main advantage of a Connector is that it proactively reaches out to LDAP to update user/group/membership information on a configurable time interval. This means that changes on the LDAP side, including adding/removing users, changing user details, changing group memberships, will be regularly updated in the Jira database without requiring users to log in or an admin having to manually update users. In addition to the interval-based syncs, the directory will also update a user's details and groups on a per-user basis when that user logs in. |
Read/Write options to LDAP | Only has Read permission to LDAP. Does not have the option nor ability to Write (i.e. make changes) back up to LDAP. | In addition to Read-Only options, this directory type has the option to use "Read/Write", which allows it to push user changes made in Jira back upstream to LDAP (assuming the bind user is permitted to make such changes in the LDAP server in the first place). |
Updating user management data | Does not proactively reach out to synchronize LDAP users, groups, or group memberships. LDAP information is pulled in upon authentication of a given user, on a per-user basis (and if the options to do so have been selected). | Proactively synchronizes LDAP users, groups, and group memberships from the LDAP server down into the Jira database, on a configurable time interval (default: 1 hour). This means that changes on the LDAP side, including adding/removing users, changing user details, changing group memberships, will be regularly updated in the Jira database without requiring users to log in or perform any actions. |
Placing users in local groups | Both directory types have the option to place an LDAP user into a local Jira group after the user logs in for the very first time. | Both directory types have the option to place an LDAP user into a local Jira group after the user logs in for the very first time. |
Use this directory type if... |
|
|
Don't use this directory type if... |
|
|
For reference:
Delegated: Connecting to an Internal Directory with LDAP Authentication
Connector: Connecting to an LDAP Directory