5 unobvious things about Atlassian Crowd’s Delegated Authentication Directory

Java

Atlassian has just released Crowd 1.3 that now has the Delegated Authentication option - two-faced directory with an external LDAP facing part for authentication and an internal Crowd part for authorisation. This double-faced functionality causes some non-obvious interface issues.

The most important issue to understand is that external part is accessed only when user is authenticated with full username/password. In any other context, users and groups are those that are copied/imported into the internal Crowd side of the directory. This produces a couple of cognitive problems:

  1. One cannot lookup users from that directory just after the directory is created. The search runs against the internal database and does not even generate LDAP lookup. This is obvious once you realise that the directory has effectively both remote and local repositories in one interface and the search only goes against local (still empty) one.
  2. Directory permissions are also about the local directory. In the past, I disabled all modify permissions when configuring LDAP directory, as I did not want to accidentally change external user. Doing the same thing with Delegated directory will causes very odd database integrity violation stack traces. (now CWD-911)
  3. Wild card handling in user lookup screen is different between Crowd internal directories and LDAP directories. Internal directories use substring search, while LDAP requires explicit star (*) character. Searching against Delegated Directory is searching against Crowd directory, so putting star wildcard will actually cause no matches. (now CWD-912)
  4. Local directory part seems to store a lot more information about user than just username and group association. It actually stores email, full name, etc. This means that if any information gets changed in the original external LDAP, it may not be reflected in Crowd’s directory (and therefore to the applications). As there does not seem to be a way for the administrator to easily check for mismatches, such problem will likely to be extremely hard to troubleshoot. (now CWD-913)
  5. Finally, there is no easy way to copy small sets of users into local part of the Crowd’s directory from the remote counter-part. They have to be added (with full information) one by one or copied wholesale from another directory. I have opened a request to improve this.

Crowd’s Delegated directory option was eagerly awaited for a long time by great many people, but it is obviously still in a need of improvement or two. I am looking forward to having those issues addressed soon.