Documentation for JIRA 5.2. Documentation for other versions of JIRA is available too.

You can connect your JIRA application to an LDAP directory for delegated authentication. This means that JIRA will have an internal directory that uses LDAP for authentication only. There is an option to create users in the internal directory automatically when they attempt to log in, as described in the settings section.

Overview

An internal directory with LDAP authentication offers the features of an internal directory while allowing you to store and check users' passwords in LDAP only. Note that the 'internal directory with LDAP authentication' is separate from the default 'internal directory'. On LDAP, all that the application does is to check the password. The LDAP connection is read only. Every user in the internal directory with LDAP authentication must map to a user on LDAP, otherwise they cannot log in.

When to use this option: Choose this option if you want to set up a user and group configuration within your application that suits your needs, while checking your users' passwords against the corporate LDAP directory. This option also helps to avoid the performance issues that may result from downloading large numbers of groups from LDAP.

(warning) Note that the 'internal directory with LDAP authentication' is separate from the default 'internal directory'.  This results in group memberships not being recognized across different directories and will need to be re-added per directory.  Issues, filters, and dashboards are still recognized between directories.

On this page:

 

Connecting JIRA to an Internal Directory with LDAP Authentication

To connect to an internal directory but check logins via LDAP:

  1. Log in as a user with the 'JIRA Administrators' global permission.
  2. Choose Administration at the top right of your screen. Then choose Users > User Directories.
    (tick) Keyboard shortcut: 'g' + 'g' + start typing 'directories'.
  3. Add a directory and select type 'Internal with LDAP Authentication'.
  4. Enter the values for the settings, as described below.
  5. Save the directory settings.
  6. Define the directory order by clicking the blue up- and down-arrows next to each directory on the 'User Directories' screen. We recommend that the 'Internal Directory with LDAP Authentication' is at the top of the list.
    Here is a summary of how the directory order affects the processing:
    • The order of the directories is the order in which they will be searched for users and groups.
    • Changes to users and groups will be made only in the first directory where the application has permission to make changes.
    For details see Managing Multiple Directories.
  7. Add your users and groups in JIRA. See Managing Users and Managing Groups.

Server Settings

Note: The option to select a directory type is available only in JIRA 4.3.3 and later.

Setting

Description

Name

A descriptive name that will help you to identify the directory. Examples:

  • Internal directory with LDAP Authentication
  • Corporate LDAP for Authentication Only

Directory Type

Select the type of LDAP directory that you will connect to. If you are adding a new LDAP connection, the value you select here will determine the default values for some of the options on the rest of screen. Examples:

  • Microsoft Active Directory
  • OpenDS
  • And more.

Hostname

The host name of your directory server. Examples:

  • ad.example.com
  • ldap.example.com
  • opends.example.com

Port

The port on which your directory server is listening. Examples:

  • 389
  • 10389
  • 636 (for example, for SSL)

Use SSL

Tick this check box if the connection to the directory server is an SSL (Secure Sockets Layer) connection. Note that you will need to configure an SSL certificate in order to use this setting.

Username

The distinguished name of the user that the application will use when connecting to the directory server. Examples:

  • cn=administrator,cn=users,dc=ad,dc=example,dc=com
  • cn=user,dc=domain,dc=name
  • user@domain.name

Password

The password of the user specified above.

Copying Users on First Login

Note: The option to copy users on first login is available only in JIRA 4.3.3 and later. It currently copies the data across whenever a user logs in, as per the bug  JRA-27541 - Getting issue details... STATUS .

Setting

Description

Copy User on First Login

This option affects what will happen when a user attempts to log in, if their username does not yet exist in the internal directory that is using LDAP for authentication. If this check box is ticked, the user will be created automatically in the internal directory when the user logs in. If this check box is not ticked, the user's login will fail.

If you tick this check box the following additional fields will appear on the screen, both described in more detail below:

  • Default Group Memberships
  • User Schema Settings

Default Group Memberships

This field appears if you tick the 'Copy User on First Login' check box. If you would like users to be automatically added to a group or groups, enter the group name(s) here. To specify more than one group, separate the group names with commas. Each time a user logs in, their group memberships will be checked. If the user does not belong to the specified group(s), their username will be added to the group(s). If a group does not yet exist, it will be added to the internal directory that is using LDAP for authentication.

Please note that there is no validation of the group names. If you mis-type the group name, authorisation failures will result – users will not be able to access the applications or functionality based on the intended group name.

Examples:

  • confluence-users
  • confluence-users,jira-users,jira-developers
Synchronise Group Memberships

Group memberships for users are copied from your LDAP server into JIRA when they authenticate. Groups will be created if they do not already exist in JIRA.

Note that once this option is enabled, a new menu will appear at the bottom labeled Group Schema Settings. You will need to expand this menu and fill out the appropriate fields.

Schema Settings

Setting

Description

Base DN

The root distinguished name (DN) to use when running queries against the directory server. Examples:

  • o=example,c=com
  • cn=users,dc=ad,dc=example,dc=com
  • For Microsoft Active Directory, specify the base DN in the following format: dc=domain1,dc=local. You will need to replace the domain1 and local for your specific configuration. Microsoft Server provides a tool called ldp.exe which is useful for finding out and configuring the the LDAP structure of your server.

User Name Attribute

The attribute field to use when loading the username. Examples:

  • cn
  • sAMAccountName

User Schema Settings (Used when Copying Users on First Login)

Note: The user schema settings are available only in JIRA 4.3.3 and later.

Setting

Description

User Schema Settings

This section appears if you tick the 'Copy User on First Login' check box. If the fields below this heading are hidden, click the heading to reveal the fields.

Additional User DN

This value is used in addition to the base DN when searching and loading users. If no value is supplied, the subtree search will start from the base DN. Example:

  • ou=Users

User Object Class

This is the name of the class used for the LDAP user object. Example:

  • user

User Object Filter

The filter to use when searching user objects. Example:

  • (&(objectCategory=Person)(sAMAccountName=*))

User Name RDN Attribute

The RDN (relative distinguished name) to use when loading the username. The DN for each LDAP entry is composed of two parts: the RDN and the location within the LDAP directory where the record resides. The RDN is the portion of your DN that is not related to the directory tree structure. Example:

  • cn

User First Name Attribute

The attribute field to use when loading the user's first name. Example:

  • givenName

User Last Name Attribute

The attribute field to use when loading the user's last name. Example:

  • sn

User Display Name Attribute

The attribute field to use when loading the user's full name. Example:

  • displayName

User Email Attribute

The attribute field to use when loading the user's email address. Example:

  • mail

Group Schema Settings (Used when enabling Synchronise Group Memberships)

Setting

Description

Group Object Class

This is the name of the class used for the LDAP group object. Examples:

  • groupOfUniqueNames
  • group

Group Object Filter

The filter to use when searching group objects. Example:

  • (objectCategory=Group)

Group Name Attribute

The attribute field to use when loading the group's name. Example:

  • cn

Group Description Attribute

The attribute field to use when loading the group's description. Example:

  • description

Diagrams of Possible Configurations

Gliffy-JIRA-LDAP-Auth-Only

Diagram above: JIRA connecting to an LDAP directory for authentication only.

Gliffy-JIRA-LDAP-Copy-On-First-Login

Diagram above: JIRA connecting to an LDAP directory for authentication only, with each user copied to the internal directory when they first log in to JIRA.

RELATED TOPICS

Configuring User Directories



See our Getting Help page for details.



Raise an issue for our developers.



See answers from the community.



Tweet, blog and update our documentation.

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.