Use Integrated Authentication over Kerberos when connecting to MSSQL on Linux

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。

このページの内容は、サポート対象外のプラットフォームに関連しています。したがって、アトラシアンは、そのためのサポートの提供を保証できません 。この資料は情報提供のみを目的としているため、お客様自身の責任でご使用ください。

This page will help guide you with setting up Kerberos authentication to an external MSSQL server from Linux. More information about using an external MSSQL database can be found at Connecting Bitbucket Server to SQL Server.

Create a Kerberos configuration file

Create a krb5.conf file with the appropriate configuration for your instance. A sample from Microsoft is provided below.

krb5.conf
[libdefaults]
default_realm = YYYY.CORP.CONTOSO.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[domain_realm]
.yyyy.corp.contoso.com = YYYY.CORP.CONTOSO.COM
.zzzz.corp.contoso.com = ZZZZ.CORP.CONTOSO.COM

[realms]
        YYYY.CORP.CONTOSO.COM = {
  kdc = krbtgt/YYYY.CORP. CONTOSO.COM @ YYYY.CORP. CONTOSO.COM
  default_domain = YYYY.CORP. CONTOSO.COM
}

        ZZZZ.CORP. CONTOSO.COM = {
  kdc = krbtgt/ZZZZ.CORP. CONTOSO.COM @ ZZZZ.CORP. CONTOSO.COM
  default_domain = ZZZZ.CORP. CONTOSO.COM
}

See Using Kerberos Integrated Authentication to Connect to SQL Server from Microsoft for more information.

Configure JAVA to use the Kerberos configuration

Modify <Bitbucket Server Installation>/bin/setenv.sh and add the following to JVM_SUPPORT_RECOMMENDED_ARGS:

-Djava.security.krb5.conf=<PATH_TO>/krb5.conf

setenv and environment variable changes in Bitbucket Server 5.0+

Starting with Bitbucket Server 5.0, setenv.sh and setenv.bat have been removed. The options that were set in this file can now be set via environment variables. Where to set the environment variable depends on which Operating System you're running on.

Linux

When using the atlbitbucket service on Linux, the environment variables are ignored. You must set the parameters in _start-webapp.sh. These values will be read when the service starts.

As an example, to set JVM_SUPPORT_RECOMMENDED_ARGS, you would add this line to the file:

JVM_SUPPORT_RECOMMENDED_ARGS=-XX:+HeapDumpOnOutOfMemoryError

Windows

Set the parameter as an environment variable for the user running Bitbucket Server. For example, if you want to set JVM_SUPPORT_RECOMMENDED_ARGS, create it as an environment variable and assign the appropriate value to it. When Bitbucket Server starts using the startup scripts or service, it will pick up and apply this value.

Update the JDBC URL to use Kerberos and Integrated Authentication

Update $BITBUCKET_HOME/shared/bitbucket.properties to change the JDBC URL so that it uses Kerberos and Integrated Authentication by changing the jdbc.url:

jdbc.url=jdbc:jtds:sqlserver://<MSSQL_HOST:1433;databaseName=<DB_NAME>;domain=<DOMAIN>;integratedSecurity=true;authenticationScheme=JavaKerberos

Bitbucket Server will need to be restarted after making these changes.

最終更新日 2017 年 5 月 4 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.