Thanks for sharing this. As a follow-up, is there currently a path for SSO
with Jira + Confluence + Crucible and FreeIPA? It seems like there is a
shortcoming of Atlassian products missing Kerberos support.
On Tue, Aug 28, 2018 at 4:14 PM Jacob Jenner Rasmussen via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
I have just setup my Jira and Confluence instances to use my FreeIPA
instance as their user directory. I'm leaving this message on how I did it
in the hope somebody else find it useful.
Note: I did this with Confluence version 6.10.1 and Jira version 7.12.0
For confluence you should create the groups "confluence-administrators"
and "confluence-users", and for Jira you should create the groups
"jira-software-administrators" and "jira-software-users"
Please note that only users that are part of confluence-users or
jira-software-users will be recognized by Confluence and Jira respectively.
If you wan't a different set of users to appear in Confluence and Jira
change the User Object Filter field appropriately.
Add a new LDAP user directory and configure as follows. This applied to
both Confluence and Jira:
Server Settings:
- Namel: FreeIPA
- Directory Type: OpenLDAP
- Server:
example.com
- Port: 389
- Use SLL: false # Believe that you gonna to add the FreeIPA CA to the
jdk cert store in order to enable this
- Username: uid=admin,cn=users,cn=accounts,dc=example,dc=com # change
admin to a service specfic account
- Password: <insert password here>
LDAP Schema:
- Base DN: dc=example,dc=com
- Additional User DN: cn=users,cn=accounts
- Additional Group DN: cn=groups,cn=accounts
LDAP Permissions: Read Only
Advanced Settings: <default settings>
User Schema Settings:
- User Object Class: inetorgperson
- User Object Filter:
- for confluence:
(&(objectclass=inetorgperson)(memberOf=cn=confluence-users,cn=groups,cn=accounts,dc=example,dc=com))
- for jira:
(&(objectclass=inetorgperson)(memberOf=cn=jira-software-users,cn=groups,cn=accounts,dc=example,dc=com))
- User Name Attribute: uid
- User Name RDN Attribute: uid
- User First Name Attriute: givenName # This is wrong, FreeIPA doesn't
seem to have anything fits this field
- User Last Name Attribute: sn
- User Display Name Attribute: displayName
- User Email Attribute: mail
- User Password Attribute: userPassword
- User Password Encryption: SHA
- User Unique ID Attribute: ipaUniqueID
Group Schema Settings:
- Group Object Class: groupofnames
- Group Object Filter: (objectclass=groupofnames)
Note: "groupofnames" should be all lowercase
- Group Name Attribute: cn
- Group Description Attribute: description
Membership Schema Settings:
- Group Members Attribute: member
- User Membership Attribute: memberOf
- Use the User Membership Attribute: false # I'm not sure what to set
this to, but this works
One thing I haven't looked into that might be relevant to set under
Advanced Settings is the Enabled Nested Groups setting.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...