You can connect Stash to an external LDAP user directory. This allows you to make use of existing users and groups stored in an enterprise directory. Stash is able to connect to the following LDAP directory servers:
|
To connect Stash to an LDAP directory:
- Log in as a user with 'Admin' permission.
- Click Administration in the top menu.
- Choose Accounts > User Directories.
- Click Add Directory and select either Microsoft Active Directory or LDAP as the directory type.
- Configure the directory settings, as described in the tables below.
- Save the directory settings.
- Define the directory order by clicking the blue up- and down-arrows next to each directory on the 'User Directories' screen. The directory order has the following effects:
- The order of the directories is the order in which they will be searched for users and groups.
- Changes to users and groups will be made only in the first directory where the application has permission to make changes.
Server settings
Setting |
Description |
---|---|
Name |
Enter a meaningful name to help you identify the LDAP directory server. Examples:
|
Directory Type |
Select the type of LDAP directory that you will connect to. If you are adding a new LDAP connection, the value you select here will determine the default values for many of the options on the rest of screen. Examples:
|
Hostname |
The host name of your directory server. Examples:
|
Port |
The port on which your directory server is listening. Examples:
|
Use SSL |
Tick this check box if the connection to the directory server is an SSL (Secure Sockets Layer) connection. Note that you will need to configure an SSL certificate in order to use this setting. |
Username |
The distinguished name of the user that the application will use when connecting to the directory server. Examples:
|
Password |
The password of the user specified above. |
LDAP schema
Setting |
Description |
---|---|
Base DN |
The root distinguished name (DN) to use when running queries against the directory server. Examples:
|
Additional User DN |
This value is used in addition to the base DN when searching and loading users. If no value is supplied, the subtree search will start from the base DN. Example:
|
Additional Group DN |
This value is used in addition to the base DN when searching and loading groups. If no value is supplied, the subtree search will start from the base DN. Example:
|
LDAP permission
Setting | Description |
---|---|
Read Only | LDAP users, groups and memberships are retrieved from your directory server and can only be modified via your directory server. You cannot modify LDAP users, groups or memberships via the application administration screens. |
Read Only, with Local Groups | LDAP users, groups and memberships are retrieved from your directory server and can only be modified via your directory server. You cannot modify LDAP users, groups or memberships via the application administration screens. However, you can add groups to the internal directory and add LDAP users to those groups. |
Advanced settings
Setting | Description |
---|---|
Enable Nested Groups | Enable or disable support for nested groups. Some directory servers allow you to define a group as a member of another group. Groups in such a structure are called 'nested groups'. If you are using groups to manage permissions, you can create nested groups to allow inheritance of permissions from one group to its sub-groups. |
Use Paged Results | Enable or disable the use of the LDAP control extension for simple paging of search results. If paging is enabled, the search will retrieve sets of data rather than all of the search results at once. Enter the desired page size – that is, the maximum number of search results to be returned per page when paged results are enabled. The default is 1000 results. |
Follow Referrals | Choose whether to allow the directory server to redirect requests to other servers. This option uses the node referral (JNDI lookup |
Naive DN Matching | If your directory server will always return a consistent string representation of a DN, you can enable naive DN matching. Using naive DN matching will result in a significant performance improvement, so we recommend enabling it where possible.
|
Enable Incremental Synchronisation | Enable incremental synchronisation if you only want changes since the last synchronisation to be queried when synchronising a directory.
If at least one of these conditions is not met, you may end up with users who are added to (or deleted from) the Active Directory not being respectively added (or deleted) in JIRA. |
Synchronisation Interval (minutes) | Synchronisation is the process by which the application updates its internal store of user data to agree with the data on the directory server. The application will send a request to your directory server every x minutes, where 'x' is the number specified here. The default value is 60 minutes. |
Read Timeout (seconds) | The time, in seconds, to wait for a response to be received. If there is no response within the specified time period, the read attempt will be aborted. A value of 0 (zero) means there is no limit. The default value is 120 seconds. |
Search Timeout (seconds) | The time, in seconds, to wait for a response from a search operation. A value of 0 (zero) means there is no limit. The default value is 60 seconds. |
Connection Timeout (seconds) | This setting affects two actions. The default value is 0.
|
User schema settings
Setting | Description |
---|---|
User Object Class | This is the name of the class used for the LDAP user object. Example:
|
User Object Filter | The filter to use when searching user objects. Example:
|
User Name Attribute | The attribute field to use when loading the username. Examples:
NB: In Active Directory, the 'sAMAccountName' is the 'User Logon Name (pre-Windows 2000)' field. The User Logon Name field is referenced by 'cn'. |
User Name RDN Attribute | The RDN (relative distinguished name) to use when loading the username. The DN for each LDAP entry is composed of two parts: the RDN and the location within the LDAP directory where the record resides. The RDN is the portion of your DN that is not related to the directory tree structure. Example:
|
User First Name Attribute | The attribute field to use when loading the user's first name. Example:
|
User Last Name Attribute | The attribute field to use when loading the user's last name. Example:
|
User Display Name Attribute | The attribute field to use when loading the user's full name. Example:
|
User Email Attribute | The attribute field to use when loading the user's email address. Example:
|
User Password Attribute | The attribute field to use when loading a user's password. Example:
|
Group schema settings
Setting |
Description |
---|---|
Group Object Class |
This is the name of the class used for the LDAP group object. Examples:
|
Group Object Filter |
The filter to use when searching group objects. Example:
|
Group Name Attribute |
The attribute field to use when loading the group's name. Example:
|
Group Description Attribute |
The attribute field to use when loading the group's description. Example:
|
Membership schema settings
Setting | Description |
---|---|
Group Members Attribute | The attribute field to use when loading the group's members. Example:
|
User Membership Attribute | The attribute field to use when loading the user's groups. Example:
|
Use the User Membership Attribute, when finding the user's group membership | Put a tick in the checkbox if your directory server supports the group membership attribute on the user. (By default, this is the '
|
Use the User Membership Attribute, when finding the members of a group | Put a tick in the checkbox if your directory server supports the group membership attribute on the user. (By default, this is the '
|