Documentation for Crowd 1.6. Documentation for other versions of Crowd is available too.

JIRA NTLM plugin not officially supported by Atlassian

The JIRA NTLM plugin was written by a third party. Atlassian does not officially support this SSO plugin. Crowd implements SSO itself, but does not natively support the NTLM protocol without this plugin. Therefore, NTLM is not a pre-requisite for the use of Crowd. The Atlassian Crowd team will do our best to advise on any Crowd integration problems. Please refer to the plugin documentation for installation instructions and further support.

Out of the box, JIRA does not support Single Sign On (SSO) functionality. This page describes how to set up JIRA with NTLM SSO functionality using the JIRA NTLM plugin, Crowd, and Active Directory (AD) as your LDAP user repository.

要約

The JIRA NTLM plugin enables the following authentication scenario:

  • A user in a Windows domain logs into the Windows network, using their Active Directory username/password.
  • Then, when they open JIRA in an Internet Explorer browser, they are seamlessly logged into JIRA.

The Crowd component then allows you to manage all users and groups in Active Directory. Crowd automatically ensures that users and groups are synchronised between AD and JIRA. For example, if a user/group is added/deleted from AD it will be automatically added/deleted from JIRA.

コンポーネント

JIRA NTLM plugin

NTLM is the protocol used by Windows for authentication. The JIRA NTLM plugin takes care of the Windows domain / Active Directory login to JIRA. You must be running a Windows Domain Controller with accounts set up in AD in order to use this plugin. If NTLM authentication is not available, the plugin allows standard form-based login to JIRA.
Note: This plugin is not officially supported by Atlassian.

Crowd

Crowd takes care of the synchronisation of users/groups between Active Directory and JIRA.
(info)
You will need to create an SSL connection between Crowd and the AD server if you would like to create users through Crowd. AD will not allow Crowd to add users or change their passwords unless the communication occurs over a secure connection.

Active Directory (AD) on Windows 2003 Server

Active Directory (AD) on Windows 2003 Server — you must already have an AD instance set up and running with a domain controller.

Jira

The machine running JIRA must be part of the Windows domain or installed on the same box as the domain controller.

手順

  1. Back up your entire JIRA installation directory and run an XML backup of your data.
  2. Download the JIRA NTLM plugin.
  3. Read the README file included in the plugin zip file, and then follow the instructions in the INSTALL file to install the plugin.
  4. In the ntlm_ldap.properties file, insert the appropriate LDAP and Domain Controller information along with other parameters.
  5. Install and configure Crowd.
  6. Create a directory in Crowd for the AD LDAP server.
  7. Create the JIRA application in Crowd and configure Crowd and JIRA to talk to each other, as described in Integrating Crowd with Atlassian JIRA.

    When following the above instructions, do not change the seraph-config.xml file to enable Crowd's SSO functionality. (I.e. don't change the authenticator node to read <authenticator class="com.atlassian.crowd.integration.seraph.JIRAAuthenticator"/>. Instead of Crowd's SSO authentication, we'll be using the JIRA NTLM plugin.

  8. In AD, create the groups jira-users, jira-developers, and jira-administrators. They should then appear in Crowd.
  9. In AD, create an admin user and make them a member of the above three groups in AD.
  10. Create any additional groups that you would like in AD.
  11. Log into the Windows domain using your desktop login and then open JIRA in an Internet Explorer browser. You should be logged in automatically.

Additional Crowd Performance Tips

  • Change the default cache setting timeout in the file <JIRA>\WEB-INF\classes\crowd-ehcache.xml. For performance reasons, increase the object caching to 7,200 seconds (2 hours):
    timeToIdleSeconds="7200" timeToLiveSeconds="7200".
    This reduces the frequency of the requests from Crowd to the LDAP server when changes to LDAP objects (such as a group name or user attribute) are made, thus reducing the performance overhead.





Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.