Thanks for sharing this. As a follow-up, is there currently a path for SSO with Jira + Confluence + Crucible and FreeIPA? It seems like there is a shortcoming of Atlassian products missing Kerberos support.
On Tue, Aug 28, 2018 at 4:14 PM Jacob Jenner Rasmussen via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I have just setup my Jira and Confluence instances to use my FreeIPA > instance as their user directory. I'm leaving this message on how I did it > in the hope somebody else find it useful. > > Note: I did this with Confluence version 6.10.1 and Jira version 7.12.0 > > For confluence you should create the groups "confluence-administrators" > and "confluence-users", and for Jira you should create the groups > "jira-software-administrators" and "jira-software-users" > > Please note that only users that are part of confluence-users or > jira-software-users will be recognized by Confluence and Jira respectively. > If you wan't a different set of users to appear in Confluence and Jira > change the User Object Filter field appropriately. > > Add a new LDAP user directory and configure as follows. This applied to > both Confluence and Jira: > > Server Settings: > - Namel: FreeIPA > - Directory Type: OpenLDAP > - Server: example.com > - Port: 389 > - Use SLL: false # Believe that you gonna to add the FreeIPA CA to the > jdk cert store in order to enable this > - Username: uid=admin,cn=users,cn=accounts,dc=example,dc=com # change > admin to a service specfic account > - Password: <insert password here> > > LDAP Schema: > - Base DN: dc=example,dc=com > - Additional User DN: cn=users,cn=accounts > - Additional Group DN: cn=groups,cn=accounts > > LDAP Permissions: Read Only > > Advanced Settings: <default settings> > > User Schema Settings: > - User Object Class: inetorgperson > - User Object Filter: > - for confluence: > (&(objectclass=inetorgperson)(memberOf=cn=confluence-users,cn=groups,cn=accounts,dc=example,dc=com)) > - for jira: > (&(objectclass=inetorgperson)(memberOf=cn=jira-software-users,cn=groups,cn=accounts,dc=example,dc=com)) > - User Name Attribute: uid > - User Name RDN Attribute: uid > - User First Name Attriute: givenName # This is wrong, FreeIPA doesn't > seem to have anything fits this field > - User Last Name Attribute: sn > - User Display Name Attribute: displayName > - User Email Attribute: mail > - User Password Attribute: userPassword > - User Password Encryption: SHA > - User Unique ID Attribute: ipaUniqueID > > Group Schema Settings: > - Group Object Class: groupofnames > - Group Object Filter: (objectclass=groupofnames) > Note: "groupofnames" should be all lowercase > - Group Name Attribute: cn > - Group Description Attribute: description > > Membership Schema Settings: > - Group Members Attribute: member > - User Membership Attribute: memberOf > - Use the User Membership Attribute: false # I'm not sure what to set > this to, but this works > > > One thing I haven't looked into that might be relevant to set under > Advanced Settings is the Enabled Nested Groups setting. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org