Remote Crowd directory test successful, yet user fails to authenticate

I have implemented a custom directory in Crowd by implementing RemoteDirectory interface; and configured Jira to use this custom directory for authentication.  I am able to test this custom directory from Jira by using a sample user from the custom directory.  However, when I try to login to Jira using this user, it fails to authenticate.  

I ran this RemoteDirectory implementation in debug mode to make sure that the authenticate method returns the User object as desired.  Can anyone please help understand why it fails to authenticate from Jira. 

Thanks

Rizwan

1 answer

0 votes
Ann Worley Atlassian Team May 19, 2017

Is there an error in the browser when it doesn't work? Or are there any related errors in the <JIRA_home>/log/atlassian-jira.log? These will help us take a closer look.

Thanks for the direction Ann.  The error message displayed in the browser is "You do not have a permission to log in. If you think this is incorrect, please contact your JIRA administrators."  I don't see any errors in atlassian-jira.log, However, I find them in the file atlassian-jira-security.log.  The error messages I see are:

The user 'jseymour' is NOT AUTHORIZED to perform to login for this request.
login : 'jseymour' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
The user 'jseymour' is NOT AUTHORIZED to perform this request.
The user 'jseymour' is NOT AUTHORIZED to perform to login for this request (16 times)

The message that reads "... do not have USE permission ..." is soemwhat specific.  I logged on to Crowd and made sure that this user is add to Jira application in Crowd.  It sounds like this is some kind of configuration related issue that I have not figured out yet.  

Any help is greatly appreciated please.

Thanks,

Rizwan

Ann Worley Atlassian Team May 22, 2017

It sounds like the user is not in a group that has Global Permission for JIRA. (Cog wheel>system>Global permissions) The default is jira-users. The Crowd setup instructions recommend creating permission groups in Crowd:

"JIRA also requires particular groups to exist in the directory in order to authenticate users. You need to ensure that these three groups exist in the JIRA Directory in Crowd:
jira-users
jira-developers
jira-administrators"

Thanks Ann, This helped me move in the right direction, and my issue is resolved (almost). I also found this link searching for this solution: https://confluence.atlassian.com/jirakb/unable-to-login-to-jira-applications-596770904.html.

I already had the three groups in Jira Directory in Crowd - but those are in the internal directory, not Custom directory. Custom directory comes with its own groups. I just had to assign permissions for the groups in Custom Directory in Jira (Cog wheel>system>Global permissions). The reason why I said "almost" resolved is...

In my Global Permissions, I do not see "JIRA users" permissions, only "Browse Users". I assigned the custom group to "Browse Users" set of permissions but it did not work. Then I assigned the custom group to "JIRA administrators" and it worked. I need to figure out why I don't have "JIRA Users" permissions in my Global permissions. This is in JIRA, not in Crowd. If you happen to know the resolution to this, it would be great.

And again, thanks a lot for the help.

Ann Worley Atlassian Team May 23, 2017

In JIRA go to Applications and then application Access. To log in, the user must belong to a group on that page: <Base_URL/secure/admin/ApplicationAccess.jspa. You can add your custom group at the bottom of the page:

Screen Shot 2017-05-23 at 9.42.16 AM.png

Ann, Please ignore my question in the previous comment.  I think I resolved the issue I had.  I also had to assign Application Access to the Custom Directory groups in JIRA.  For instance, right now, I did the following in JIRA.  

Cog Wheel -> System -> Applications -> Application Access.  And here I added the custom directory groups to the application access.  And now the Custom directory users from the added groups are able to login to JIRA without having to add them to JIRA administrators.

From this point on, I think, any issues I may have may be related to the complex permission schemes I need to configure.  My primary issue with making the custom directory interface (RemoteDirectory) work is resolved.

Thanks a lot again!

Sorry, I posted my comment before reading your reply.  Thanks!  This Application Access page resolved my issue.

Suggest an answer

Log in or Register to answer