Versions Compared

Old Version 1

changes.mady.by.user Jeff Turner

Saved on

compared with

New Version 2

changes.mady.by.user Jeff Turner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If the Use SSL box is checked (typically port 636):

Code Block
ldapsearch \
-LL -x -z5 \
-H ldaps://tx-dc2.corp.example.com:636 \
  -D 'CN=svcLDAPquery,CN=Managed Service Accounts,DC=corp,DC=example,DC=com' \
  -w "s3cret" \
  -b 'OU=Internal,DC=corp,DC=example,DC=com' \
-s sub  sub '\
'(&(objectCategory=Person)(sAMAccountName=*))' \
sAMAccountName displayName givenname sn mail

This displays results in the form:

Code Block
dn: CN=Jeff Turner,OU=RedRadish,OU=Contractors,OU=Internal,DC=corp,DC=example,DC=com'
sn: \Turner
givenName:  -x -z5 \
  sAMAccountNameJeff
displayName: Jeff Turner
sAMAccountName: jeff.redradish_ext
mail: jeff@redradishtech.com

The This query does a subtree (   -s sub ) search for all nodes below OU=Internal,DC=corp,DC=example,DC=com, returning the sAMAccountName (i.e. username) attribute , full name, first name and email attributes for each. It is limited to 5 results ( -z5 ).

LDAP's startTLS extension also allows a connection on port 389 to be upgraded to TLS ( ldapsearch -ZZ ) but I can find no evidence that JIRA/Confluence support this.

 

If you can see the existing JIRA/Confluence User Directory, the properties map to ldapsearch parameters as follows:

Image Added

Auto-generating ldapsearch commands

Iff you're using PostgreSQL as the database, you can generate the correct ldapsearch command directly from the database. Save this SQL to a file, crowd_to_ldapsearch.sql:

Code Block
WITH ldap AS (
    select * from crosstab('select directory_id, attribute_name, attribute_value from cwd_directory_attribute order by 1,2',
        $$values ('ldap.url'),
        ('ldap.userdn'),
        ('ldap.password'),
        ('ldap.basedn'),
        ('ldap.user.dn'),
        ('ldap.user.filter'),
        ('ldap.user.username'),
        ('ldap.user.displayname'),
        ('ldap.user.email'),
        ('ldap.user.firstname'),
        ('ldap.user.lastname')
        $$)
    AS ct(directory_id int,
        "url" varchar,
        "userdn" varchar,
        "password" varchar,
        "basedn" varchar,
        "user.dn" varchar,
        "user.filter" varchar,
        "user.username" varchar,
        "user.displayname" varchar,
        "user.email" varchar,
        "user.firstname" varchar,
        "user.lastname" varchar)
)
SELECT '# For directory ' || directory_id ||'
ldapsearch \
-LL -x -z5 \
-H ' || url || ' \
-D ''' || userdn || ''' \
-w ''' || password || ''' \
-b ''' || "user.dn" || ',' || basedn || ''' \
-s sub \
''' || "user.filter" || ''' '
 || "user.username" || ' ' || 
"user.displayname" || ' ' || 
"user.firstname" || ' ' ||
"user.lastname" || ' ' ||
"user.email"
FROM ldap;

and run it against your JIRA database:

Code Block
psql -tAq jira < /tmp/crowd_to_ldapsearch.sql

The output is one ldapsearch command per LDAP directory configured:

...

Code Block
jturner@jturner-desktop~ $ atl_psql -tAq < ~/crowd_to_ldapsearch.sql 
␀
# For directory 10000
ldapsearch \
-LL -x -z5 \
-H ldaps://tx-dc2.corp.example.com:636 \
-D 'CN=svcLDAPquery,CN=Managed Service Accounts,DC=corp,DC=example,DC=com' \
-w 'REDACTED' \
-b 'OU=Internal
Expand
titleSample ldapsearch output...
# ldapsearch -z5 -x -b "DC=corp,DC=example,DC=com" -D "CN=svcLDAPquery,CN=Managed Service Accounts,DC=corp,DC=example,DC=com" -w "s3cret" -s sub "(sAMAccountName=redradish)" -H ldaps://tx-dc2.corp.example.com sAMAccountName
# extended LDIF
#
# LDAPv3
# base <DC=corp,DC=example,DC=com> with scope subtree
# filter: (sAMAccountName=redradish)
# requesting: sAMAccountName
#
# Jeff Turner, CA-Users, CA, Internal, corp.example.com
dn: CN=Jeff Turner,OU=CA-Users,OU=CA,OU=Internal,DC=corp,DC=example,DC=com
sAMAccountName: redradish
# search reference
ref: ldaps://DomainDnsZones.corp.example.com/DC=DomainDnsZones,DC=corp,DC=ico
 ntrol,DC=com
# search reference
ref: ldaps://ForestDnsZones.corp.example.com/DC=ForestDnsZones,DC=corp,DC=ico
 ntrol,DC=com
# search reference
ref: ldaps://corp.example.com/CN=Configuration
,DC=corp,DC=example,DC=com

# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3

LDAP's startTLS extension also allows a connection on port 389 to be upgraded to TLS ( ldapsearch -ZZ ) but I can find no evidence that JIRA/Confluence support this.

 

If you can see the existing JIRA/Confluence User Directory, the properties map to ldapsearch parameters as follows:

' \
-s sub \
'(&(objectCategory=Person)(sAMAccountName=*))' sAMAccountName displayName givenName sn mail
Time: 2.063 ms