Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Active Directory users cannot login to Jira 5.2.5

Gang Liang1
Gang Liang January 22, 2013

I have installed a EVAL licensed Jira 5.2.5 (Windows 32bit installer on 32-bit Windows Server 2008 R2. User directory is connected to "LDAP (MS Active directory) with local Group". I can see all the AD users pulled in to Jira users list. And I can add some LDAP users to the local jira-administrators group. However, when I tried to login to Jira (http://server:8080) with these LDAP users, the login page seems to crash. After I restart Jira service, I can login again with a local Jira admin. What's insteresting is that the user list shows that the LDAP user that tried to login has the seccessful login count increased.

Answer
Watch
Like Deleted user likes this
1457 views

5 answers

1 accepted

0 votes
Answer accepted
Gang Liang1
Gang Liang February 7, 2013

Finally an Atlassian engineer Daniel has helped me find out the problem was caused by the ldap users not having the "E-mail" attribute configured. A "null" value was inserted into Oracle db table which JIRA was not able to parse. The internal HSQLDB worked differently and didn't have this problem.

Reply
0 votes
Gang Liang1
Gang Liang January 24, 2013

Thanks again Geoff! I will see if I can get helps from our IT guys! :-)

--Lando

View More Comments
Gang Liang1
Gang Liang January 24, 2013

I finished installing my second instance of trial Jira 5.2.5 and this time I don't have the LDAP user login problem. Just in case there may be people who are interested in this result, the following is a list of things that are different from my first Jira instance that had the LDAP user login problem. (However, I am still not sure which of the following actually made the diffenence)

1. installed a jdk 1.6 and confiured JAVA_HOME before installing Jira (this is supposed to be unnecessary since the Jira windows installer comes with a JRE. The first instance was running with the bundled jre)

2. upgraded the IE that comes with Windows server 2008 to IE9 then disabled the Enhanced Security Feature. (my first Jira instance was configured through IE8 with Enhanced Security Feature enabled, with that I was not able to apply my eval key unless I copied the keys elsewhere then traversed a few web pages back to manually apply it -- not sure if that caused any problem)

3. sticked to the bundled HSQL DB --- I got a complaint about the Oracle DB not being empty when I tried to choose the "external database" option to connect to my Oracle 11g fresh created new DB, which looks like a Jira bug to me. (I will try to switch to "external db" again later and hopefully not get into any problem).

4. created a blank project right after the first login onto Jira (also not sure if this is relevant :-)

Then I configured the same AD LDAP user directory and was able to login with the ldap users after adding them to those Jira groups.

Again, many thanks to Geoff.

--Lando

Like
Gang Liang1
Gang Liang January 25, 2013

This is getting a little frustrating: I bypassed the "DB is not empty" error by connect the DB using a newly created DB user which had its default tablespace bound to a fresh created tablespace datafile, then I was able to export the existing data in the internal DB to an external Oracle 11g db instance. However, I hit the same problem again when trying to login with the existing LDAP users.

Like
Gang Liang1
Gang Liang January 30, 2013

I am really running out of idea now after trying so many different tests (including trying early version JIRA5.2.1 and different JRE including the installer-bundled jre, jre1.6U30, and jre1.7U5) and still getting the same problem. Has anyone tried the same and gotten it work? Or if you ever got a chance can you try the following and share your experience?

1. install JIRA win32 installer on 32bit Windows 2008 server standard version (VM running on ESX4 or ESX5 server in my case) with a Eval license.

2. configure the database as an external Oracle 11g DB (in my case it's an Oracle 11g R2 installed on 32-bit Windows server 2008 SP2 VMware). You may need to create a user (instead of using the system) with its default tablespace pointing to a new one if you hit the complaint "database is not empty" when trying to connect the DB.

3. Add a Microsoft Active Directory LDAP user directory with the "Read only, with local group" option.

4. Add some of your ldap domain users to Jira groups like "Jira-administrators"

5. Try to login with the the ldap users mentioned in previous step to see if you can login (usually it's -http://localhost:8080)

In my case, my ldap users can login successfully if the DB is connected to the internal HSQLDB. However if the DB is an external Oracle DB, the ldap user will either get a message "Sorry, an error occurred trying to log you in - please try again" or crash the login page with "Internet Explorer cannot display the webpage" (IE 9 in my case). And the log file "atlassian-jira-security" shows the LDAP user "has passed the authentication". On the other hand atlassian-jira.log does have error message "[500ErrorPage.jsp] Exception caught in 500 page org.apache.jasper.JasperException". By the way, my oracle DB connection looked fine since I saw all the Jira tables populated to the DB without showing any errors duing setup.

Dear Atlassian engineers: any hints? :-)

Thanks!

Lando from AI

Like
Reply
0 votes
Geoff Tanner
Geoff Tanner January 24, 2013

Yeah, Lando, it is not so much that you need a plugin, but depending on how your LDAP is configured there are a bunch of settings that control how Jira navigates the groups and folders of your LDAP server. I guess https://confluence.atlassian.com/display/JIRA/Connecting+to+an+LDAP+Directory is where I started from. In my case not being a network guy I had to get my sysadmin to help with the syntax of things like basedn and filters. If Jira can see the users, it does not mean it can navigate your LDAP server if these other settings are not there.

Geoff

Reply
0 votes
Geoff Tanner
Geoff Tanner January 24, 2013

Lando, I am working on a similar problem myself, using AD with local groups same as you, where AD users can log in, but I cannot remove them from local groups; i get that OperationFailedException as well.

The fact that synchronisation fails from time to time is, I feel, a hint, because I am getting that too. I suspect something in the AD settigns is wroing but have not found the source yet.

I will let you know if I get any more leads for you to follow.

Geoff.

View More Comments
Gang Liang1
Gang Liang January 24, 2013

Hi Geoff, thanks again for the info! But I have another quick question: did you just simply connect to the AD LDAP as "Read only with Local group" before your AD users could login to Jira? Or did you need to do more configuration to make that happen? --- Like running extra config tool, installing extra plugin, or modifying additional config files?

In my case, I simply connected to AD as "Read only with Local group" then I was able to see all the LDAP objects showed up in Jira, but the LDAP users just could not login even after being added to jira-administrators and jira-users.

Thanks again!

Lando

Like
Reply
0 votes
Geoff Tanner
Geoff Tanner January 23, 2013

I am not sure if this is an answer, but I have experienced a similar problem. In my case we had a problem with the domain controller and all sorts of authentication issues. I re-ordered the directory settings in User Directories then found that the AD settings had been deleted somehow. Re-entering them sortd out the problem. Are the AD settings exactly as they need to be?

View More Comments
Gang Liang1
Gang Liang January 23, 2013

Hi Geoff: thanks for trying to answer my question. My ldap directory has been configured as "Read only with local group". I have been adding and removing the ldap directory a few times and re-entering the AD settings every time it's re-added. The ldap directory test always passed (test basic connection, retrieve user, retrieve groups, retrieve user membership, and user authentication...etc --- are all good). And I can see all the ldap users show up in Jira. Therefore I assume the ldap settings are correct!? The ldap directory synchronisation sometimes failed but most of the time succeeded when I tried manually sync. The following errors is found in "jira...stdout" log file:

2013-01-23 23:14:52,932 QuartzWorker-1 DEBUG ServiceRunner [org.objectweb.jotm.jta] Current.getStatus()

2013-01-23 23:14:52,932 QuartzWorker-1 ERROR ServiceRunner [atlassian.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ 10202 ].

com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: mydomain.com:389 [Root exception is java.net.ConnectException: Connection timed out: connect]]

at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAllUsers(UsnChangedCacheRefresher.java:266)

at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:40)

at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:223)

at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:619)

at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:63)

at com.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events