[Freeipa-users] LDAP authentication for JIRA using FreeIPA

Wed Jun 10 11:55:15 UTC 2015

Hi All

Thanks to Brian and Sandor for their input so far - this gives me another
approach to try.

>From my side this is a work-in-progress report: we have got something
working, but are not quite happy with it.

Stepping back a bit: I suspect there are a number of integration approaches
that may (or may not) work. Atlassian offer several default ldap
configurations inc. the FedoraDS mentioned by Sando. Probably several of
these can be massaged / bullied to work with FreeIPA with varying degrees
of effort / pain.

There seem also to be several possible integration use-cases, ranging from
full bidirectional replication of ldap users and groups down to simple
"read-only* authentication only.

In our case we want to take a simple approach: in fact we have tried 2
methods so far.

1) We first tried a one-way replication of FreeIPA users and groups to
JIRA, as described here:

https://confluence.atlassian.com/display/JIRA/Connecting+to+an+LDAP
+Directory

We used the "A generic LDAP directory server" standard config with some
values changed for the FreeIPA equivalents.

While we were successfully able to connect from JIRA to FreeIPA, and users
replicated across, groups did not - it failed at the point of group
membership. Also the users could not login (but that is maybe because -
from a JIRA point of view - the users had no groups).

We did not spend long on this approach, so it is possible that with a
little more tweaking we could get it to work.

2) We next tried an even simpler approach - using LDAP only for
authentication.

https://confluence.atlassian.com/display/JIRA/Connecting+to+an+Internal
+Directory+with+LDAP+Authentication

Under this approach, when a user first tries to logon to JIRA the user is
authenticated and replicated to JIRA. Groups remain local the JIRA
directory (although a default group e.g. jira-users can be setup.)

This approach is suitable when only a subset of LDAP users need JIRA
access. Being one-way there should be no danger of JIRA screwing the LDAP.

While we can successfully authenticate FreeIPA users (and thus login and
work in JIRA) with this approach, so far we have not been able to get the
email address to replicate from FreeIPA to JIRA (and without working email
notifications JIRA is rendered as useful as a chocolate teapot)

We will continue experimenting (we now have a suggested config from Sandor
below as a further variant).

Once we get something satisfactory working I would be pleased to contribute
to a wiki-page on the topic.

Cheers

Chris

From:	Martin Kosek <mkosek at redhat.com>
To:	Brian Topping <brian.topping at gmail.com>, Sandor Juhasz
            <sjuhasz at chemaxon.com>
Cc:	freeipa-users at redhat.com
Date:	10.06.2015 12:13
Subject:	Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA
Sent by:	freeipa-users-bounces at redhat.com

Cool, I am glad you made this working. BTW, would any of you mind
volunteering
and helping the FreeIPA community with contributing a HOWTO article on "how
to
configure FreeIPA and Jira"? It is still missing in FreeIPA.org wiki.

All we have right now is the link to this discussion, that Petr Spacek
added to
http://www.freeipa.org/page/HowTos#Web_Services

It would be really nice to also have a real page that others can follow and
use.

Thank you!
Martin

On 06/10/2015 11:29 AM, Brian Topping wrote:
> FYI, that mirrors my configuration. Not sure if this was covered
previously, but for my setup, only JIRA connects to IPA. All the other
atleasian products contact JIRA for their information.
>
> Cheers, Brian
>
>> On Jun 10, 2015, at 12:47 AM, Sandor Juhasz <sjuhasz at chemaxon.com>
wrote:
>>
>> Hi,
>>
>> here are our working configurations. Might be useful.
>> We use compat tree for auth.
>> We use user in group matching.
>> We use group filter for login authorization.
>> We use FedoraDS as ldap connector on JIRA's side.
>> We don't use pw change or user create in IPA from JIRA side.
>> Watch out not to have matching local users/groups or you will suffer
bigtime.
>> Initially it was setup not to use ldap groups, but was changed
afterwards by
>> creating all new groups in ldap for this purpose and readding the users.
>> We use ldap service user for binding -
https://www.freeipa.org/page/Zimbra_Collaboration_Server_7.2_Authentication_and_GAL_lookups_against_FreeIPA
.
>>
>> Attributes:
>> "autoAddGroups": ""
>> "com.atlassian.crowd.directory.sync.currentstartsynctime": "null"
>> "com.atlassian.crowd.directory.sync.issynchronising": "false"
>> "com.atlassian.crowd.directory.sync.lastdurationms": "373"
>> "com.atlassian.crowd.directory.sync.laststartsynctime": "1433920165776"
>> "crowd.sync.incremental.enabled": "false"
>> "directory.cache.synchronise.interval": "3600"
>> "ldap.basedn": "dc=<OURDOMAIN>"
>> "ldap.connection.timeout": "0"
>> "ldap.external.id": ""
>> "ldap.group.description": "description"
>> "ldap.group.dn": "cn=groups,cn=compat"
>> "ldap.group.filter": "(&(objectClass=posixgroup)(|
(cn=<COMPANYGROUP>)(cn=<TEAMGROUPS>)(cn=<JIRAGROUP>)))"
>> "ldap.group.name": "cn"
>> "ldap.group.objectclass": "groupOfUniqueNames"
>> "ldap.group.usernames": "memberUid"
>> "ldap.local.groups": "false"
>> "ldap.nestedgroups.disabled": "true"
>> "ldap.pagedresults": "false"
>> "ldap.pagedresults.size": "1000"
>> "ldap.password": ********
>> "ldap.pool.initsize": "null"
>> "ldap.pool.maxsize": "null"
>> "ldap.pool.prefsize": "null"
>> "ldap.pool.timeout": "0"
>> "ldap.propogate.changes": "false"
>> "ldap.read.timeout": "120000"
>> "ldap.referral": "false"
>> "ldap.relaxed.dn.standardisation": "true"
>> "ldap.roles.disabled": "true"
>> "ldap.search.timelimit": "60000"
>> "ldap.secure": "false"
>> "ldap.url": "ldap://<IPAURL>"
>> "ldap.user.displayname": "cn"
>> "ldap.user.dn": "cn=users,cn=accounts"
>> "ldap.user.email": "mail"
>> "ldap.user.encryption": "sha"
>> "ldap.user.filter":
"(&(objectclass=posixAccount)(memberOf=cn=<JIRAGROUP>,cn=groups,cn=accounts,dc=<OURDOMAIN>))"

>> "ldap.user.firstname": "givenName"
>> "ldap.user.group": "memberOf"
>> "ldap.user.lastname": "sn"
>> "ldap.user.objectclass": "person"
>> "ldap.user.password": "userPassword"
>> "ldap.user.username": "uid"
>> "ldap.user.username.rdn": ""
>> "ldap.userdn":
"uid=<OURSERVICEUSER>,cn=sysaccounts,cn=etc,dc=<OURDOMAIN>"
>> "ldap.usermembership.use": "false"
>> "ldap.usermembership.use.for.groups": "false"
>> "localUserStatusEnabled": "false"
>>
>> Sándor Juhász
>> System Administrator
>> ChemAxon Ltd.
>> Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
>> Cell: +36704258964
>>
>> From: "Martin Kosek" <mkosek at redhat.com>
>> To: "Christopher Lamb" <christopher.lamb at ch.ibm.com>,
freeipa-users at redhat.com
>> Sent: Wednesday, June 10, 2015 9:22:03 AM
>> Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA
>>
>> On 06/08/2015 06:44 PM, Christopher Lamb wrote:
>>>
>>> Hi All
>>>
>>> we are interested to know if anybody has succeeded (or for that matter
>>> failed) in using FreeIPA  to provide user authentication for Atlassian
>>> products such as JIRA or Confluence?
>>>
>>> Somewhere in an Atlassian ticket I saw that FreeIPA is not officially
>>> supported, so I guess that should set our expectations .....
>>>
>>> If anyone has succeeded, then of course any tips on how best to do so
would
>>> be fantastic!
>>
>> I saw reply in the threads, so it should be covered.
>>
>> BTW, please add +1s to respective Jira tickets to add proper FreeIPA
support.
>> It would be really cool if Jira would know FreeIPA out of the box and
could
>> connect to it natively!
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
>

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project