Monday, March 21, 2011

Atlassian JIRA: Full LDAP Integration

Atlassian introduced many new features in JIRA v. 4.3 and one of them is one that users have been waiting for for a long time: full LDAP integration.

Up to now, administrators basically had two options to manage JIRA users:
  • Using JIRA internal user registry.
  • Using an external LDAP directory for authentication only.
  • Using Atlassian Crowd.
Please note that Atlassian Crowd provides a broader identity management and Single Sign-On solution and it is out of scope in this blog post.

    The Problem

    User management can be an issue and a burden for the administrator even small-sized business: without a "user registry", the complexity of keeping in sync user accounts throughout the organization grows both with the number of accounts and with the number of environments to be kept in sync (such as workstations, servers, applications, etc.).

    To solve this problem, organizations often centralize the administration of user accounts on some sort of "user registries" integrated with all of their environments, from operating systems to applications. Nowadays, LDAP is one of the most commonly used protocol to integrate such registries and it is supported by almost any enterprise-level operating system and many enterprise applications.

    Up to version 4.2, Atlassian JIRA could integrate with an LDAP directory just for authentication: this factored out only part of the user management complexity (basically, the management of an user's credentials) but administrators still had to provision JIRA with user accounts (and all of their attributes).

    The Solution: Full LDAP Integration

    Atlassian JIRA v. 4.3 comes with full LDAP integration. Administrators can now:
    • Integrate JIRA with one of the supported LDAP directories.
    • Use JIRA two-way synchronization.
    • Integrate JIRA with more than one directory at a time.
    • Administer user directories with a revamped, easy to use GUI.
    • Use JIRA as an user directory for Atlassian Confluence.

    Supported Directories

    Atlassian JIRA now integrates with many of the most commonly used directory servers out there:
    • Apache User Directory (v. 1.0.x and 1.5.x).
    • Apple Open Directory (read-only).
    • FedoraDS (read-only POSIX schema).
    • Novel eDirectory Server.
    • OpenDS.
    • OpenLDAP.
    • OpenLDAP (read-only POSIX schema).
    • Oracle Directory Server Enterprise Edition (former Sun Directory Server Enterprise Edition).
    • Microsoft Active Directory.
    • Generic LDAP directory servers.
    • Generic POSIX/RFC2307 directory servers (read-only).
    Although disable by default, it's worth noting that JIRA also supports nested groups, the ability to recursively scan group memberships in the case that a group be member of another group.

    User Directories Management Made Easy

    The setup and configuration of user directories can be easily performed using the JIRA Administration Console, whose new User Directory windows has been redesigned from scratch:


    Using the GUI, the administration will be able to configure most of the parameters to customize and fine-tune the integration of JIRA with your directory servers. Some of the tuneable parameters are:
    • Directory Server settings.
    • LDAP Schema: to configure the Base DN and, optionally, the User DN and the Group DN to limit the search scope to a sub-tree of the whole directory.
    • LDAP Permission: to decide whether the directory will be accessed in read-only mode or in write-mode, in which case modifications to users, groups and memberships made in JIRA will be synced back to the LDAP directory.
    • User and Group Schema settings: to establish object classes, filters and attribute names.
    • LDAP cache and connection pool settings.



      Conclusions.

      Atlassian JIRA v. 4.3 can now be easily integrated with the directory server of choice of your organization. Even unexperienced administrators will be able to quickly setup and configure an user directory for JIRA in a matter a few minutes, using the new User Directories window of the JIRA Administration Console.

      No doubt, JIRA has never been so close to its users.

      No comments: