Active Directory users cannot login to Jira 5.2.5

I have installed a EVAL licensed Jira 5.2.5 (Windows 32bit installer on 32-bit Windows Server 2008 R2. User directory is connected to "LDAP (MS Active directory) with local Group". I can see all the AD users pulled in to Jira users list. And I can add some LDAP users to the local jira-administrators group. However, when I tried to login to Jira (http://server:8080) with these LDAP users, the login page seems to crash. After I restart Jira service, I can login again with a local Jira admin. What's insteresting is that the user list shows that the LDAP user that tried to login has the seccessful login count increased.

5 answers

1 accepted

Finally an Atlassian engineer Daniel has helped me find out the problem was caused by the ldap users not having the "E-mail" attribute configured. A "null" value was inserted into Oracle db table which JIRA was not able to parse. The internal HSQLDB worked differently and didn't have this problem.

I am not sure if this is an answer, but I have experienced a similar problem. In my case we had a problem with the domain controller and all sorts of authentication issues. I re-ordered the directory settings in User Directories then found that the AD settings had been deleted somehow. Re-entering them sortd out the problem. Are the AD settings exactly as they need to be?

Hi Geoff: thanks for trying to answer my question. My ldap directory has been configured as "Read only with local group". I have been adding and removing the ldap directory a few times and re-entering the AD settings every time it's re-added. The ldap directory test always passed (test basic connection, retrieve user, retrieve groups, retrieve user membership, and user authentication...etc --- are all good). And I can see all the ldap users show up in Jira. Therefore I assume the ldap settings are correct!? The ldap directory synchronisation sometimes failed but most of the time succeeded when I tried manually sync. The following errors is found in "jira...stdout" log file:

2013-01-23 23:14:52,932 QuartzWorker-1 DEBUG ServiceRunner [org.objectweb.jotm.jta] Current.getStatus()

2013-01-23 23:14:52,932 QuartzWorker-1 ERROR ServiceRunner [atlassian.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ 10202 ].

com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: mydomain.com:389 [Root exception is java.net.ConnectException: Connection timed out: connect]]

at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAllUsers(UsnChangedCacheRefresher.java:266)

at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:40)

at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:223)

at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:619)

at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:63)

at com.

Lando, I am working on a similar problem myself, using AD with local groups same as you, where AD users can log in, but I cannot remove them from local groups; i get that OperationFailedException as well.

The fact that synchronisation fails from time to time is, I feel, a hint, because I am getting that too. I suspect something in the AD settigns is wroing but have not found the source yet.

I will let you know if I get any more leads for you to follow.

Geoff.

Hi Geoff, thanks again for the info! But I have another quick question: did you just simply connect to the AD LDAP as "Read only with Local group" before your AD users could login to Jira? Or did you need to do more configuration to make that happen? --- Like running extra config tool, installing extra plugin, or modifying additional config files?

In my case, I simply connected to AD as "Read only with Local group" then I was able to see all the LDAP objects showed up in Jira, but the LDAP users just could not login even after being added to jira-administrators and jira-users.

Thanks again!

Lando

Yeah, Lando, it is not so much that you need a plugin, but depending on how your LDAP is configured there are a bunch of settings that control how Jira navigates the groups and folders of your LDAP server. I guess https://confluence.atlassian.com/display/JIRA/Connecting+to+an+LDAP+Directory is where I started from. In my case not being a network guy I had to get my sysadmin to help with the syntax of things like basedn and filters. If Jira can see the users, it does not mean it can navigate your LDAP server if these other settings are not there.

Geoff

Thanks again Geoff! I will see if I can get helps from our IT guys! :-)

--Lando

I finished installing my second instance of trial Jira 5.2.5 and this time I don't have the LDAP user login problem. Just in case there may be people who are interested in this result, the following is a list of things that are different from my first Jira instance that had the LDAP user login problem. (However, I am still not sure which of the following actually made the diffenence)

1. installed a jdk 1.6 and confiured JAVA_HOME before installing Jira (this is supposed to be unnecessary since the Jira windows installer comes with a JRE. The first instance was running with the bundled jre)

2. upgraded the IE that comes with Windows server 2008 to IE9 then disabled the Enhanced Security Feature. (my first Jira instance was configured through IE8 with Enhanced Security Feature enabled, with that I was not able to apply my eval key unless I copied the keys elsewhere then traversed a few web pages back to manually apply it -- not sure if that caused any problem)

3. sticked to the bundled HSQL DB --- I got a complaint about the Oracle DB not being empty when I tried to choose the "external database" option to connect to my Oracle 11g fresh created new DB, which looks like a Jira bug to me. (I will try to switch to "external db" again later and hopefully not get into any problem).

4. created a blank project right after the first login onto Jira (also not sure if this is relevant :-)

Then I configured the same AD LDAP user directory and was able to login with the ldap users after adding them to those Jira groups.

Again, many thanks to Geoff.

--Lando

This is getting a little frustrating: I bypassed the "DB is not empty" error by connect the DB using a newly created DB user which had its default tablespace bound to a fresh created tablespace datafile, then I was able to export the existing data in the internal DB to an external Oracle 11g db instance. However, I hit the same problem again when trying to login with the existing LDAP users.

I am really running out of idea now after trying so many different tests (including trying early version JIRA5.2.1 and different JRE including the installer-bundled jre, jre1.6U30, and jre1.7U5) and still getting the same problem. Has anyone tried the same and gotten it work? Or if you ever got a chance can you try the following and share your experience?

1. install JIRA win32 installer on 32bit Windows 2008 server standard version (VM running on ESX4 or ESX5 server in my case) with a Eval license.

2. configure the database as an external Oracle 11g DB (in my case it's an Oracle 11g R2 installed on 32-bit Windows server 2008 SP2 VMware). You may need to create a user (instead of using the system) with its default tablespace pointing to a new one if you hit the complaint "database is not empty" when trying to connect the DB.

3. Add a Microsoft Active Directory LDAP user directory with the "Read only, with local group" option.

4. Add some of your ldap domain users to Jira groups like "Jira-administrators"

5. Try to login with the the ldap users mentioned in previous step to see if you can login (usually it's -http://localhost:8080)

In my case, my ldap users can login successfully if the DB is connected to the internal HSQLDB. However if the DB is an external Oracle DB, the ldap user will either get a message "Sorry, an error occurred trying to log you in - please try again" or crash the login page with "Internet Explorer cannot display the webpage" (IE 9 in my case). And the log file "atlassian-jira-security" shows the LDAP user "has passed the authentication". On the other hand atlassian-jira.log does have error message "[500ErrorPage.jsp] Exception caught in 500 page org.apache.jasper.JasperException". By the way, my oracle DB connection looked fine since I saw all the Jira tables populated to the DB without showing any errors duing setup.

Dear Atlassian engineers: any hints? :-)

Thanks!

Lando from AI

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Julia Dillon
Posted Apr 17, 2018 in Jira

Tell us how your team runs on Jira!

Hey Atlassian Community! Today we are launching a bunch of customer stories about the amazing work teams, like Dropbox and Twilio, are doing with Jira. You can check out the stories here. The thi...

808 views 2 19
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you