[Other doc versions]
[Doc downloads]
Stash is now known as Bitbucket Server
.
See the
Unknown macro: {spacejump}
of this page, or visit the Bitbucket Server documentation home page.
You can connect Stash to external user directories. This allows you to use existing users and groups stored in an enterprise directory, and to manage those users and groups in one place.
ユーザー管理機能には以下が含まれます。
- Authentication: determining which user identity is sending a request to Stash.
- Authorisation: determining the access privileges for an authenticated user.
- ユーザー管理: ユーザーのアカウントのプロファイル情報を保持します。
- グループ メンバーシップ: グループおよびグループ メンバーシップを格納および取得します。
これらはユーザー管理システムの個別のコンポーネントであることを理解することが重要です。上記のタスクのいずれかまたはすべてのために外部ディレクトリを使用できます。
There are several approaches to consider when using external user directories wth Stash, described briefly below:
- Stash provides a "read-only" connection to external directories for user management. This means that users and groups, fetched from any external directory, can only be modified or updated in the external directory itself, rather than in Stash.
- Connecting Atlassian Stash to your external directory is not sufficient to allow your users to log in to Stash. You must explicitly grant them access to Stash in the global permission screen.
- We recommend that you use groups instead of individual accounts when granting permissions. However, be careful not to add more users to those groups that your Stash license allows. If the license limit is exceeded, your developers will not be able to push commits to repositories, and Stash will display a warning banner. See this FAQ.
- Stash comes with an internal user directory, already built-in, that is enabled by default at installation. When you create the first administrator during the setup procedure, that administrator's username and other details are stored in the internal directory.
- See also this information about deleting users and groups in Stash.
LDAP
ユーザーおよびグループがエンタープライズ ディレクトリに保存されている場合、LDAP ディレクトリ サーバーに接続することを検討する必要があります。
There are two common ways of using an external LDAP directory with Stash:
- For full user and group management, including for user authentication — see Connecting Stash to an existing LDAP directory for instructions.
- For delegated user authentication only, while using Stash's internal directory for user and group management — see Delegating Stash authentication to an LDAP directory for instructions.
Stash is able to connect to the following LDAP directory servers:
- Microsoft Active Directory
- Apache Directory Server (ApacheDS) 1.0.x および 1.5.x
- Apple Open Directory (読み取り専用)
- Fedora Directory Server (読み取り専用 Posix Schema)
- Novell eDirectory サーバ
- OpenDS
- OpenLDAP
- Open LDAP (読み取り専用 Posix Schema)
- Generic Posix/RFC2307 ディレクトリ (読み取り専用)
- Sun Directory Server Enterprise Edition (DSEE)
- 任意の汎用 LDAP ディレクトリ サーバー
Jira
You can delegate Stash user and group management, as well as user authentication, to an Atlassian JIRA instance. This is a good option if you already use JIRA in your organization. Note that Stash can only connect to a JIRA server running JIRA 4.3 or later.
You should consider using Atlassian Crowd for more complex configurations with a large number of users.
See Connecting Stash to JIRA for user management for configuration instructions.
Crowd
You can connect Stash to Atlassian Crowd for user and group management, as well as for user authentication.
Crowd is an application security framework that handles authentication and authorisation for your web-based applications. With Crowd you can integrate multiple web applications with multiple user directories, with support for single sign-on (SSO) and centralised identity management. See the Crowd Administration Guide.
Crowd を使用して複数のディレクトリ タイプで既存のユーザーおよびグループを管理する場合や、他の Web ベースのアプリケーションのユーザーが存在する場合は、Crowd に接続することを検討することをおすすめします。
See Connecting Stash to Crowd for configuration instructions.
複数のディレクトリ
When Stash is connected directly to multiple user directories, where duplicate user names and group names are used across those directories, the effective group memberships that Stash uses for authorisation can be determined using either of these two schemes:
- 'aggregating membership'
- 'non-aggregating membership'.
See Effective memberships with multiple directories for more information about these two schemes.
注意:
- Aggregating membership is used by default for new installations of Stash.
- Authentication, for when Stash is connected to multiple directories, only depends on the mapped groups in those directories – the aggregation scheme is not involved at all.
- For inactive users, Stash only checks if the user is active in the first (highest priority) directory in which they are found for the purpose of determining authentication. Whether a user is active or inactive does not affect how their memberships are determined.
- ユーザーがグループに追加されると、ユーザーは利用可能な最初の書き込み可能なディレクトリ (優先度順) にのみ追加されます。
- ユーザーがグループから削除されると、non-aggregating が使用されている場合、ユーザーは検出された最初のディレクトリのグループからのみ削除されます。aggregating membership が使用されている場合、ユーザーが存在するすべてのディレクトリのグループから削除されます。
Stash 管理者は次のコマンドを使用して、Stash が使用するメンバーシップ スキームを変更できます。
aggregating membership に変更するには、次のコマンドで、
<username>、<password>、および<base-url>を自身の値で置き換えます。curl -H 'Content-type: application/json' -X PUT -d '{"membershipAggregationEnabled":true}' -u <username>:<password> <base-url>/rest/crowd/latest/applicationaggregating membership に変更するには、次のコマンドで
<username>、<password>、および<base-url>を自身の値で置き換えます。curl -H 'Content-type: application/json' -X PUT -d '{"membershipAggregationEnabled":false}' -u <username>:<password> <base-url>/rest/crowd/latest/application
Note that these operations are different from how you make these changes in Crowd. Note also that changing the aggregation scheme can affect the authorisation permissions for your Stash users, and how directory update operations are performed.
概要
コンテンツ ツール
アプリ
Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.