Jira - LDAP only for SD customers

Stewart Olson October 9, 2015

I would like to set up JIRA Service Desk so that users, when the arrive on the SD portal, can use their AD credentials to log in and create service requests. Is there a way to do this without counting towards JIRA's overall license limit (for the PM part of JIRA)?

5 answers

0 votes
Steven F Behnke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 9, 2015

Pertaining to your default group membership, my comment was just that it seemed a little crazy to apply Administrators to all users, it just doesn't seem like an ideal configuration off-hand. However, if you're just testing, I think you have it under control with that explanation, since it's only people with "JIRA Administrators" in your AD environment. Let's get to your issue then.

jira-users is what is licensing your users in this case (or any group you configure to have USE permissions, best to keep it simple and use a dedicated group for this). To explain this further: Any ACTIVE USERS within the group JIRA-USERS will count towards your JIRA license. Thus, we usually ensure that this group is the group that allows 'access.'

The way you have it set up, you are using Default Group Membership to license users within your application. All users within 'All Users, JIRA Administrators' are able to log into this connector. All of these users are then applied with Access/License (jira-users).

 

Let's clear up an assumption first. This may be important with your directory setup!!!

  1. Logging in, users will attempt each directory (in order)
  2. If they are not found in a directory, the service will attempt the next available directory
  3. If they are found in a directory, the service will attempt to authenticate them
    1. If they pass, they will log in
    2. If they fail, they will not log in (they will NOT attempt against another directory)

 

So, there is two workarounds to your issue –  

Using a single directory connector connected to your AD environment

  • Disable default group membership in JIRA/Crowd
    • Manually manage the group jira-users
    • Manually manage the group service-desk-customers

Using two directory connectors connected to your AD environment

  • Active Directory connector, "All Users, JIRA Administrators"
    • Apply jira-users to license users and grant access
    • Apply jira-developers
    • Apply jira-administrators
  • Active Directory connector, "All Users, Employees"
    • Apply service-desk-customers
abraxaspw October 9, 2015

Thanks so much. I will create another connector to authenticate based on 'all users' OU and 'employees' security group and set default group membership to service-desk-customers. Thanks a ton!

Steven F Behnke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 9, 2015

It is no problem at all. I think you will have no problems with this configuration assuming the users can ONLY authenticate through ONE directory connector. That is key.

0 votes
abraxaspw October 9, 2015

Yeah, and it's watching the AD group called 'Users' and the security group called 'Jira Administrators'. I've got a 10 user license as we test things before expanding out to the rest of the PM team. What would be helpful is letting me know if I need to have JIRA user licenses for every person who asks a question on Service Desk?

0 votes
Steven F Behnke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 9, 2015

... your default group membership applies the jira-users, jira-developers, jira-administrators groups huh. Wow.

0 votes
abraxaspw October 9, 2015

In user management -> user directories I have an active directory server configured and it is looking for a user and group DN to authenticate. They then get added to a default group membership: jira-administrators,jira-developers,jira-users Is there a way to point to another AD OU and let 'all active users' have a login which lets them create an issue on the service desk? (using another account because it wouldn't let me comment =( )

0 votes
Steven F Behnke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 9, 2015

How do you currently configure your directory?

Suggest an answer

Log in or Sign up to answer