This is the documentation for FishEye 3.3. View the latest version of

Unknown macro: {spacejump}

or visit the latest FishEye documentation home page.

This page explains the settings for LDAP authentication and their parameters.

Note that we recommend using Atlassian JIRA, or Crowd, for user authentication. One advantage is that you can then make use of LDAP groups. Also, FishEye (or Crucible) can only connect to one external authentication directory; using Crowd allows connection to multiple directories.

On this page:

Global settings

To configure LDAP authentication, log in to the FishEye admin area and click Authentication (under 'Security Settings'). Now click Set up LDAP, under 'Authentication settings'.

Global LDAP settings are:

URL

The URL of the LDAP server, e.g. ldap://localhost:389.

(For reference, see Performance Problem when Using LDAPS if using the ldaps protocol.)

Base DN

The base search space for users, e.g. dc=example,dc=com

User Filter

The LDAP search for locating users, e.g. uid=${USERNAME}. The ${USERNAME} variable is expanded to the username of the individual being authenticated. You can use a more complicated LDAP filter to allow only a subset of users, such as: (&(uid=${USERNAME})(memberOf=fisheye)).

UID attribute

The name of the username attribute in objects matching the filter.

Email attribute

Optional. The name of an attribute giving the user's email address.

Cache TTL (positive)

How long FishEye should cache permission checks. Example values are: 0 secs, 5 mins.

Auto-add

FishEye can automatically create a user it has not previously encountered if the user can successfully authenticate against LDAP.

Initial bind DN and password

Optional. If your LDAP server does not allow anonymous bind, then you need to specify a user FishEye can use to do its initial bind.

Synchronise users with LDAP

Optional. Sets whether users will be loaded from an external directory.

Per-repository settings

If you use LDAP authentication you can set a LDAP filter in FishEye to further restrict access to a particular repository: the per-repository filter restricts access to a subset of already logged-in users. The LDAP filter is not utilized for repositories that have anonymous access enabled (either per-repository permissions or default permissions).

To set the LDAP filter for a repository, log in to the FishEye admin area and click Repositories (under 'Repository Settings'). Now click the name for a repository, and then Permissions (on the left). Check Apply LDAP restriction and edit the following settings:

LDAP Restriction

An LDAP filter string used to check if a given user can access a given repository, e.g. (&(uid=${USERNAME})(memberOf=${REP})). When an user attempts to access the repository, FishEye will perform a search in LDAP to retrieve all the entities matching the LDAP filter. This search will start at the Base DN of your LDAP's global settings.

Match Type

This setting modifies how the search results are interpreted.

  • user – the first search result must match the exact Distinguished Name (DN) of the current user. Only if it does match, then that user is allowed to access the repository.
  • any – if there is one or more search results, the current user is allowed to access to the repository.

 

 

When writing your LDAP filter, the following expressions are available:

  • ${USERNAME} will be replaced by the username of the logged user
  • ${DN} will be replaced by the Distinguished Name of the logged user
  • ${REP} will be replaced by the name of the repository the logged user is trying to access
Examples:
  • To allow a user to access a repository only if he or she is part of the group AuthorizedGroup, specify an LDAP filter such as: (&(uniqueMember=${USERNAME})(cn=AuthorizedGroup)(objectClass=groupofuniquenames)) and set the Match Type as Any.
  • To allow more than a group of users to access a repository, specify an LDAP filter such as: (&(uniqueMember=${USERNAME})(|(cn=AuthorizedGroup1)(cn=AuthorizedGroup2))(objectClass=groupofuniquenames)) and set the Match Type as Any.

Testing the LDAP restriction

To test the LDAP restriction, you can use Apache Directory Studio:

  • add a connection to your LDAP server (if you use Active Directory, use the following instructions)
    • in the LDAP menu, click on New Connection
    • enter the same URL and port as you did for FishEye
    • click on Next and enter the same Bind DN and password as in Global settings (see Initial bind DN and password above)
    • click on Finish
  • in the LDAP menu, and click on New Search
  • in the Search dialog,
    • select the connection to your LDAP server 
    • enter the same Base DN you configured in Global settings next to the Search Base textbox
    • enter the LDAP filter next to the Filter textbox (if the filter contains ${USERNAME} or ${REP}, replace them by the username or repository name you want to test)
    • select Subtree in the Scope section
    • click on Search

Active Directory

To have FishEye connect to an Active Directory server, use settings such as the following:

URL

ldap://HOSTNAME:389

Base DN

DC=corp,DC=example,DC=com

User Filter

(sAMAccountName=${USERNAME})

UID Attribute

sAMAccountName

Email attribute

mail

Initial bind DN

corp.example.com/Users/SomeUser

ou=user,dc=example,dc=com

user@domain.name

cn=Administrator,cn=Users,dc=example,dc=com