By default, JIRA manages its users and groups internally. Most organizations today often use LDAP such as Microsoft Active Directory (AD) for centralized user management, and you can integrate JIRA with LDAP. JIRA supports many different types of LDAP, including AD, OpenLDAP, and more.
There are two options to integrate JIRA with LDAP. In this recipe, we will explore the first option by using an LDAP Connector, and we will look at the second option in the next recipe, Integrating with LDAP for authentication only.
For this recipe, you will need to have an LDAP server up and running. You need to make sure that the JIRA server is able to access the LDAP server and there are no glitches; for example, it is not blocked by firewalls. At a minimum, you will also need to have the following information:
Proceed with the following steps to integrate JIRA with an LDAP server:
Microsoft Active Directory
or LDAP
for non-AD directories.
Server Settings |
Description |
Name |
This is an identifier for the LDAP server. |
Directory Type |
This selects the type of the LDAP server, for example, Microsoft Active Directory. JIRA automatically fills in the user and group schema details based on the type selected. |
Hostname |
This is the server where LDAP is hosted. |
Port |
This is the port LDAP server that listens to incoming connections. |
Use SSL |
This checks whether SSL is being used on LDAP. |
Username |
This the user account that JIRA uses to access LDAP. This should be a dedicated account for JIRA. |
Password |
This is the password for the account. |
LDAP Schema |
Description |
Base DN |
This is the root node where JIRA starts the search for users and groups. |
Additional User DN |
This is the additional DN to further restrict a user search. |
Additional Group DN |
This is the additional DN to further restrict a group search. |
LDAP Permission |
Description |
Read Only |
Select this option if you do not want JIRA to make any changes to LDAP. This is the ideal option if everything, including the user's group memberships, is managed with LDAP. |
Read Only, with Local Groups |
This option is similar to the Read Only option, but lets you manage group memberships locally within JIRA. With this option, the group membership changes you make will remain in JIRA only. This is the ideal option when you only need user information from LDAP, and want to manage JIRA-related groups locally. |
Read/Write |
Select this option if you want JIRA to be able to make direct changes to LDAP, assuming that JIRA's LDAP account has the write permission as well. |
The following screenshot shows how to test the settings:
After you have added your LDAP server as a user directory, JIRA will automatically start synchronizing its user and group data. Depending on the size of your LDAP, it may take a few minutes to complete the initial synchronization. You can click on the Back to directory list link, and see the status of the synchronization process.
Once the process is completed, you are able to see all your LDAP users and groups show up, and to use your LDAP credentials to access JIRA.
What we have just created in this recipe is called a connector. With a connector, JIRA first pulls user and group information from LDAP, and creates a local cache. It then periodically synchronizes any deltas.
All authentication will be delegated to LDAP; so, if a user's password is updated in LDAP, it will be immediately reflected when the user attempts to log in to JIRA. It is important to note that, with LDAP, users must still be in the necessary groups (for example, jira-users, by default) in order to access JIRA. So, you need to make sure that you either create a group called jira-users in LDAP and add everyone to it, or grant the JIRA Users global permission to other custom groups, such as all employees.
Also note that only users who have access to JIRA will count toward your license count.