Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Unable to authenticate to LDAP. How can I get into products to reconfigure?

Trevor Wood
Contributor
February 8, 2022

This is not only in Crowd but in our other Atlassian products, too.  I can't authenticate via our LDAP; getting very vague errors. Is there a way to restore a local administrator account or otherwise get into crowd through a back door, so I can test or fix the configuration?  I have full access to the server and the database.

1 answer

1 accepted

3 votes
Answer accepted
Reneesh Kottakkalathil
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 8, 2022

Hello @Trevor Wood 

Maybe problem with your user directory configuration. Here is an example for configuring user directories in Jira https://confluence.atlassian.com/adminjiraserver/configuring-user-directories-938847049.html

 

Were you able to authenticate before? If so, check for all the recent changes in the environment.

Trevor Wood
Contributor
February 8, 2022

Thank you for the reply!

Yes, this configuration was working. The only thing we know changed is the previous cert on the server expired, but we thought it was replaced properly. The web-facing side of things does show the updated cert.

Reneesh Kottakkalathil
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 8, 2022

Under User Directory setting, there is a test option. Have you tried the test to see if that works? Can you paste the logs if you see any error? On which Atlassian product did the previous cert got expired and you renewed it?

 

userdir.jpg

Trevor Wood
Contributor
February 9, 2022

Unfortunately, I can't get that far, since the User Directories page is behind authentication and I can't authenticate. We have a CentOS server which has crowd, bamboo, confluence, jira, and bitbucket running on it. The db is on another server running MySQL.  The LDAP I'm trying to authenticate from is Active Directory.

Crowd log excerpt:

2022-02-08 14:44:04,690 http-nio-8095-exec-6 ERROR [jdbc.batch.internal.BatchingBatch] HHH000315: Exception executing batch [java.sql.BatchUpdateException: Duplicate entry '[redacted]' for key 'uk_token_id_hash'], SQL: insert into cwd_token (directory_id, entity_name, random_number, identifier_hash, random_hash, created_date, last_accessed_date, last_accessed_time, duration, id) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)

2022-02-08 14:44:04,691 http-nio-8095-exec-6 ERROR [engine.jdbc.spi.SqlExceptionHelper] Duplicate entry '[redacted]' for key 'uk_token_id_hash'

2022-02-08 14:44:05,597 http-nio-8095-exec-7 ERROR [crowd.manager.application.ApplicationServiceGeneric] Directory '[redacted]' is not functional during authentication of '[redacted]'. Skipped.

Here's a line from the jira log: 

atlassian-jira.log:2022-02-08 14:44:05,687-0500 http-nio-8080-exec-1 ERROR anonymous 883x26x1 69m0nt 172.17.0.21,127.0.0.1 /rest/gadget/1.0/login [c.a.j.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user...

Reneesh Kottakkalathil
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 9, 2022

@Trevor Wood 

You can use the local admin account(non-AD) of Jira or other products to login and explore the settings. 

Like Trevor Wood likes this
Trevor Wood
Contributor
February 9, 2022

Admin account worked!  Still having trouble but at least i can get to the User Directories area.  For the test, most turned green, but this was an error at the bottom: 

Test user can authenticate : Failed

Error from Crowd server propagated to here via REST API (check the Crowd server logs for details): org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.CommunicationException: admin-dc1.[redacted.server.domain]:636; nested exception is javax.naming.CommunicationException: admin-dc1.[redacted.server.domain]:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed]
Reneesh Kottakkalathil
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 9, 2022

Good news that you are able to login with your admin account. I know this PKIX error. This is because your products are missing the intermediate(chain) certificate in the JDK cacerts file. Importing the chain certificate to the JDKs cacerts file will fix the issue.

Refer this link https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-error-779355358.html

Trevor Wood
Contributor
February 11, 2022

We are back up and connected.  I believe it started working after we ran 'update-ca-trust extract' with the intermediate and chain certs in the anchors directory.  Had to do a restart of each app.

I guess the cacerts file that java used was not updated when we first updated the certs. 

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events