Destination User Directory has moved

I've moved JIRA which Confluence is using for a User Server from one IP address to a local DNS name (jira.xxxx.net).  Now the Remote JIRA Directory can't connect, and users are no longer synchronized.  I've spent about an hour trying to fix it, with no luck.  How can I repair this connection?

I realize variations of this question have been asked and answered, but they are an overwhelming collection of Q&A, SQL commands, rollback recommendations and frankly I get lost.

2 answers

This widget could not be displayed.
Ann Worley Atlassian Team Sep 20, 2017

Hi Malachi,

I understand you changed the Jira URL from an IP address to a DNS name. Since then Confluence has not been able to connect to Jira for user management.

Please let me know what steps you have taken and what error messages you are seeing in the browser and the logs:

  • Have you edited the Jira URL in the User Directory in Confluence? Please see these instructions if not: Connecting Confluence to JIRA applications for User Management
  • Please check the <confluence_home>/logs/atlassian-confluence.log for errors connecting to Jira. Note: The <confluence_home> directory is the path defined in the following file: <confluence_install>/confluence/WEB-INF/classes/confluence-init.properties.

The log should have errors indicating that the external user directory is not available during authentication. The error messages should give us a clue as to why it isn't connecting.

I look forward to hearing more about your case.

Thanks,

Ann

At the point where I try to "Add" "Atlassian JIRA" in the Confluence User Directory area, I get a :

'Connection test failed. Response from the server:
com.atlassian.crowd.exception.ApplicationPermissionException: Forbidden (403) Encountered a "403 - Forbidden" error while loading this page. client.forbidden.exception Go to JIRA home'

Even though I triple-checked that Application Name and Application Password match

Here are some screenshots:

Confluence_userdirectory_1.pngConfluence_userdirectory_2.pngJIRA_userdirectory_1.png

Thanks for the screen shots. Based on those:

  • You need to log in with an administrative account from the Confluence Internal Directory so you can edit the Remote Jira directory.
  • Then you have the 403 error to overcome.

Internal Administrator

For logging in with an internal admin, go to Confluence Admin>Groups and check the membership of the confluence-administrators group. If you do not have credentials for a user in that group, then add a user (it will add them in the Confluence Internal directory unless the Jira directory is read/write)and add the user to the confluence-administrators group so they will be a super user.

Then you can edit the existing  Remote Jira user directory to point at the DNS name instead of an IP address.

Eliminating 403 Forbidden connecting to Jira

You will likely see the same 403 error when connecting with the existing user directory that you are seeing when adding a new Jira user directory. To get connected, please see: Unable to connect to JIRA for authentication - Forbidden 403

Confluence server could not connect or access to JIRA server due to the following cause:

  1. JIRA does not include Confluence server IP address in JIRA User Server settings
  2. JIRA has not whitelisted Confluence server or IP address, despite both of them located within same server.
  3. There is a proxy or firewall that blocks such access from Confluence to JIRA.

Please try the resolutions from the article and let me know if you see any other error when connecting to Jira for user management.

For the Internal Administrator guidance, the account I am logged in as reports to being a member of the confluence-administrators group.  I am able to attempt adding remote JIRA user directories, as indicated in 2nd screenshot (Confluence_userdirectory_2)

For the Eliminating 403 guidance:

Item 1

In the 3rd screenshot (JIRA_userdirectory_1) I have IP address specified of 192.168.0.0/16 to allow all traffic in from 192.168.x.x which does match our IP range

Item 2

I added a whitelist entry (http://wiki.moducom.net) but unfortunately no change.  

Item 3

Also, I don't see how a proxy or firewall could be blocking it - BUT - there is indeed an nginx reverse proxy in place forwarding:

  • jira.moducom.net -> localhost:8080
  • wiki.moducom.net -> localhost:8090

It works well enough for other areas (such as application linking).  

How do you recommend we proceed?

Ann Worley Atlassian Team Sep 22, 2017

Thanks for making sure the whitelist and Jira User Server settings are there.

Recommendation

One of the resolutions on the knowledge base article is to bypass the proxy by accessing Jira on localhost as described on: Unable to connect to JIRA for authentication - Forbidden 403  It sounds like Confluence and Jira are on the same server proxied to the two ports, in which case that option is worth considering.

Secondary recommendation

Right now the issue I am focussed on is the 403 error connecting to Jira, but I wanted to be clearer about the Confluence Internal admin. Regarding the editing of the existing Remote Jira User Directory: In order to edit it a user must be in the confluence-administrators group and also the user must be logged in from another directory. Your other directory is the Confluence internal directory. To see what directory a user is from, view them in User Management as in the screen shot below.

It is considered a good practice to have an administrative account in the Internal directory when external authentication is used with Confluence. That way, if the system that authenticates users fails or is unreachable you can still get into the UI.

ViewUserDirectory.pngHIt

Somehow, I was able to reply AS you Ann.  Certainly not on purpose :) please find my response below

This widget could not be displayed.

edited

Thank you for this.  

In regards to your initial Recommendation, if the only way forward is to specify a direct IP and port instead of a proxy, I will do it.  However, that's what got me into this trouble in the first place, and I would much prefer the mobility of an actual DNS name.

In regards to the Secondary recommendation, I would like to do this; however it's a bit of a chicken and the egg, I am not able to add any more users to Confluence - presumably because Confluence is hard-wired to be a "slave" to JIRA users as you can see in the screenshot below.  What would you recommend to enable an internal administrator account in this situation?

.Confluence_user_create.png

Ann Worley Atlassian Team Sep 25, 2017

I mistakenly assumed your Jira user directory was read-only. Confluence creates the user in the first directory it has permission to write to, in this case the Jira user directory because it is on top. It fails because it can't connect currently. (I was able to reproduce the behavior on my test instance after making the Jira User directory read/write.)

Please move the Internal Directory up in the order and then create the internal admin. For more on how the directories work see: Managing Multiple Directories

Back to the 403 error: Can you ping or nslookup and resolve the DNS name of the Jira server from the command line on the Confluence server? What if you do a traceroute to that IP? Does it go through any network devices that could be blocking the connectivity?

Following these instructions, I was able via direct IP address to set up a 2nd JIRA user directory reference (disabling my first one) and successfully synchronize.  Thank you immensely for this.

Regarding utilizing DNS naming:

JIRA DNS ping and nslookup work quite well from the command line on the Confluence server.

JIRA DNS reference for aforementioned 2nd JIRA user directory works if "http://jira.moducom.net:8080" is specified.  That is a little unexpected, because the proxy is, as mentioned before, arranged to do jira.moducom.net:80 -> [::]:8080 and definitely does exactly that during normal usage.

Ann Worley Atlassian Team Sep 25, 2017

I am relieved to hear the Jira User directory is functional for Confluence now. It is interesting that the User Directory only connects when you specify the port. It reminded me of this guide: Reverse Proxy and Application Link Troubleshooting Guide

When using a reverse proxy, the application server (Tomcat) must be aware of the proxy to ensure that the correct addresses and URLs are sent back to the client. If this is not correctly set up, Tomcat will return the hostname and IP that it's listening on, rather than the address that clients use to access the application.

The most reliable way to configure your HTTP connector is to include the proxy information:


<Connector port="8080" connectionTimeout="20000" maxThreads="200" minSpareThreads="10"
enableLookups="false" acceptCount="10" URIEncoding="UTF-8"
proxyName="atlassian.com" proxyPort="443" scheme="https" secure="true" />

 Please make sure the connector directive in <confluence_install_dir>/conf/server.xml has the proxyName, proxyPort and scheme as described.

Both JIRA and Confluence have been configured with these proxyName/proxyPort settings.

Risking over-punctiliousness, I notice you suggest changing the Confluence proxy settings but wouldn't the JIRA settings be the focal point?

Ann Worley Atlassian Team Sep 25, 2017

You may be as punctilious as you like, in fact, you are right, it was the Jira setting I meant to refer you to; I should have asked you to check the server.xml in Jira.

I am not sure why the User Directory wants to bypass the proxy and "talk" on the Tomcat port. I can only speculate that it's "something" with the network configuration. 

Are you all set now that the user directory is functional or do we need to get it to talk on port 80?

The critical need is handled, and my concern about future breakages is tempered with the knowledge of using an internal administrator to add a brand new user directory when needed.  

I'd like to explore precisely how to get the DNS port 80 flavor working, but the reality is it will probably be time consuming and either:

a) worked out as a bug

b) revealed in a workaround in due time

So, with all that, I can say I am all set.  I leave it to you the prudence of reporting this as a possible bug, if you think it is I'd be happy to help with that.  Thank you for everything !

Ann Worley Atlassian Team Sep 25, 2017

One more thing to check - since Confluence is also behind the proxy, the requests to Jira User Server may appear to Jira to be coming from the NGINX proxy. Is the IP address of the proxy allowed in Jira User Server and in the Jira Whitelist?

I am curious whether you have application links set up between Confluence and Jira and if so, whether the links are using the DNS names.

Application links on both sides using DNS naming without explicit ports.

Whitelist also using DNS naming; Going to add IP:PORT directly to Whitelist and followup with results.

EDIT:

Found the culprit.  The IP Addresses under Edit Application needed to include localhost-y things in it (::1, 127.0.0.1), not just 192.168.0.0/16.

JIRA_userdirectory_2.png

With aforementioned settings, I am able to use DNS name http://jira.moducom.net in the confluence JIRA server user directory configuration

Ann Worley Atlassian Team Sep 26, 2017

So...http://jira.moducom.net  with no port, so default port 80. Nice.

I do feel we are all set now, what do you say?

100% all set !

We went from solution established to curiosity satisfied.  You rock.  Thank you !

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Monday in Confluence

Why start from scratch? Introducing four new templates for Confluence Cloud

Hi my Community friends!  For those who don't know me, I'm a product marketer on the Confluence Cloud team - nice to meet you! For those of you who do, you know that I've been all up in your Co...

463 views 6 6
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you