Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

User not able to connect : LDAP

Bipin Patel
Bipin Patel
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 24, 2019

I have added LDAP directory.  I have two users in LDAP.

I dont find jira group for LDAP users. see screenshot 2.

I using OPENLDAP "readonly" mode.

 

Screenshot 1:

screenshot-192.168.2.48-8282-2019.06.24-16-41-34.png

 

Screenshot 2:

screenshot-192.168.2.48-8282-2019.06.24-16-31-28.png

 

Screenshot 3:

screenshot-localhost-2019.06.24-16-43-57.png

Screenshot 4:

screenshot-192.168.2.48-8282-2019.06.24-16-46-07.png

 

What do I miss here?

Answer
Watch
Like Be the first to like this
409 views

1 answer

1 vote
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 25, 2019

Hi Bipin,

Sorry to hear about this problem.  I can see you are looking to connect Jira to an LDAP user directory to bring some users into Jira, and it seems this user has been found, but is not permitted to login to Jira.

This tends to happen because Jira grants user access to login by group membership.  And while it certainly looks like Jira has found the user object in LDAP, and the password looks good, the only other reason Jira would deny login would be because Jira has not been able to establish that this user account is a member of a group that grants application access in Jira.  Details in Licensing and application access.  By default the group called jira-software-users grants access to that product, jira-servicedesk-users grants application access (Agent role) to those users, and jira-core-users grants application access to Jira Core.  If the user account in question is not a member of any of these default groups, or any other groups your environment might have defined to grant application access, that account can't login to Jira.

There are a couple of different ways to address this.  Ultimately we need to get that user into a group that grants access.  How we do that can vary.  For example:

Most basic approach is to first understand what groups that user is a member of.  You can do this by going to the User Management page /secure/admin/user/UserBrowser.jspa and search for this user.  It should identify the directory this user account is found in, and any groups they are a member of.   I think your screenshot #2 shows this without any user groups, but it seems cropped so I'm not sure.

You could use the read-only with local groups option.  This allows you to add that LDAP user into a group that exists in the Jira internal directory.  It's a quick solution for one user, but doesn't usually scale well if you have dozens or hundreds to thousands of Jira users in LDAP.

Alternatively, we would need to inspect what LDAP groups are getting sync'ed over to Jira.  You could do this by looking up this user account to see if there are any LDAP groups this user is a member of that exist in Jira right now.  It's possible the user directory configuration in Jira is not correctly setup to get the group(s) from ldap and then add that user a member of them. If that happens, then it is possible that no groups came over in this sync. This can be more in-depth to troubleshoot, but basically we would want to try to learn more about the group object LDAP filter Jira is using for this directory.

Perhaps you can post us some more details about your user directory configuration within Jira.  With this information we should be better able to understand why Jira is not placing this user in the group you have defined here.

Regards,

Andy

View More Comments
Bipin Patel
Bipin Patel
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 26, 2019

Thx for quick reply.

Here I am adding more details. I am sharing jira ldap settings and ldap search results.

 

JIRA LDAP settings:

screenshot-192.168.2.48-8282-2019.06.26-13-39-12.png

 

 

 

LDAP search results:

 

Screenshot from 2019-06-26 13-40-51.png

 

OpenLDAP GUI:

screenshot-localhost-2019.06.26-13-49-58.png

 

Looks like my group object class is not correct. Also I don't find memberships  attributes (memberOf) in openLDAP.

Another Question: Would it get groups automatically from LDAP if configuration is correct? I have one group in LDAP "jira-software-users" but it does not come along with users from LDAP.

Plz advice.

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 26, 2019

To answer your last question first, yes, Jira will sync over the groups if the configuration is correct.  But in this case, it can be very difficult to determine if it's done that from the Jira UI.  This is because the groups you see in Jira don't indicate what user directory they come from.

And since you named the group in ldap to be the same as the internal directory group name 'jira-software-users', the only way to tell if that group synced over is to look closer at the atlassian-jira.log file or more precisely, run a SQL query against the database to determine the user directory that group comes from.   For the sake of troubleshooting here, it might be better to give the groupname in ldap a unique value for its name, something other than jira-software-users.  It would help to make it easier to understand which group belongs to which user directory.

But even if you don't do that, you could lookup in SQL to see where that group comes from.  For example:

select id, group_name, active, local, directory_id from cwd_group;

can at least show you all the groups in Jira, and tell you their directory_id.  You can then lookup which user directory that corresponds to with a query like

select * from cwd_directory;

The id field in that table corresponds to the cwd_group.directory_id field.   If you can run that SQL query it can likely tell us if the group is actually getting synced over.  If it is then we can work on making sure the user is getting membership, but if it's not, then there is no way for Jira to give that user membership with the current settings, short of using the  Read Only with local groups directory option. 

I'd also be curious to see your Base DN value, Additional user DN, and Additional Group DN values you have set in Jira here.  Here is my example openldap:

Screen Shot 2019-06-26 at 10.32.33 AM.png

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security