Does LDAP require a login account?

I am configuring a directory to connect to LDAP for delegated authentication. The LDAP administrators tell me that this server does not allow anonymous binding. I am not clear what that implies for Jira configuration. Does that mean I must supply a username/password when I set up the configuration. Or is that unnecessary since Jira supplies a username/password when it authenticates a Jira login?

I have tried configuring the directory both with a username/password and not. If I don't configure a username/password, I get an LDAP error like this:

Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772^@]; remaining name 'ou=ad,dc=nih,dc=gov'

If I configure the directory with a username/password, I get this LDAP error instead:

nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772^@]

I'm not sure what to try next. Thanks.

6 answers

1 accepted

4 votes
Accepted answer

You would need a username/password and it must have proper read access on the DN configured. The username cane be of the following formats:

  • cn=administrator,cn=users,dc=ad,dc=example,dc=com
  • cn=user,dc=domain,dc=name
  • user@domain.name

Hello,

your LDAP administrators have configured the ldap server to accept search requests only if it comes from a valid user. Thus you have to authenticate.

I think they gave you a user DN and the password for this user like:

uid=loginname,ou=users,dc=foo,dc=bar

just typing the loginname in the ldap userdn field won't help, you need a dn (your ldap administrators can provide you with this).

And: Make sure you use the correct connection to the ldap server. It can happen that the server listens on port 383 (non encrypted) and on port 636 (encrypted). Some LDAP servers listen on both but acctept vald connections only on the encrypted port.

If possible, ask one LDAP administrator to lake a look at your configuration.

Best regards,

Manse Wolken

I've been able to get the proper DN from the LDAP administrator and can now bind successfully. I'm still not able to authenticate *other* users, though. This is what the security log reports when user "aalneve" tries to log into Jira:

2011-12-06 12:34:32,506 http-8443-17 anonymous 754x795x1 12jgmcq 130.14.108.26 /rest/gadget/1.0/login login : 'aalneve' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2011-12-06 12:34:32,517 http-8443-17 anonymous 754x795x1 12jgmcq 130.14.108.26 /rest/gadget/1.0/login The user 'aalneve' has FAILED authentication. Failure count equals 1

I'm a little unclear how authentication happens. Does Jira send up the username and password of "aalneve" to LDAP to see if there is a match? Does the LDAP principal ("lneve", in this case) need any special privileges to allow this? The LDAP administrator assures me it has universal read access. Is that enough to authenticate users?

OpenLDAP is working for us in Confluence without a username or password. The key was setting LDAP Permissions to Read Only with Local Groups. We also set the Base DN, Additional User DN, AdditionalGroupDN, User Object Filter, User Name Attribute, User Name RDN Attribute, User Display Name Attribute, User Email Attribute, User Password Encryption, Group Object Class, Group Object Filter, and Use the User Membership Attribute. Other settings are all default.

I've been able to get the proper DN from the LDAP administrator and can now bind successfully. I'm still not able to authenticate *other* users, though. This is what the security log reports when user "aalneve" tries to log into Jira:

2011-12-06 12:34:32,506 http-8443-17 anonymous 754x795x1 12jgmcq 130.14.108.26 /rest/gadget/1.0/login login : 'aalneve' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2011-12-06 12:34:32,517 http-8443-17 anonymous 754x795x1 12jgmcq 130.14.108.26 /rest/gadget/1.0/login The user 'aalneve' has FAILED authentication. Failure count equals 1

I'm a little unclear how authentication happens. Does Jira send up the username and password of "aalneve" to LDAP to see if there is a match? Does the LDAP principal ("lneve", in this case) need any special privileges to allow this? The LDAP administrator assures me it has universal read access. Is that enough to authenticate users? If it makes any difference this is Microsoft Active Directory authentication.

Well,

2011-12-06 12:34:32,506 http-8443-17 anonymous 754x795x1 12jgmcq 130.14.108.26 /rest/gadget/1.0/login login : 'aalneve' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

happened to me because I forgot to give users the "View" right.

You can either have the groups:"jira-users" and "jira-administrators" created in LDAP. Or enable any other given group to Log in to jira, provided it is found by Jira in LDAP.

You can check this by loggin in with the Jira administrator go to the administrative panel and browse users. Clicking on a username should give you the groups, that the user is in.

And authenticating users:

Jira simply tries to bind to the LDAP with the credentials the user provided on the login page. If that succeeds, the user is authenticated. If not, the user is rejected.

Thanks for the note. My LDAP administrators assure me that any user that can bind to LDAP has the permissions to look up secondary users. Is that what you mean? If not, since I have no authority over the the LDAP server, I have to work the Jira instead. In that case, what do you mean by "enable any other given group to log into jira"? Since all users have jira-user permission in Jira, they should be able to log in.

Have you checked that your users have the "can use" permission? Take "aalneve", open the user browser in jira, search for aalneve and open the userdetails. There should be a bunch of groupmemberships displayed for that user. There should be at least the "jira-users" group listed.

Yes, I checked and aalneve is a member of the jira-users group. (BTW, every user created in Jira is automatically added to that group.)

So your users are all synchronized wih Jira, the have login right and still can't login. Maybe now it is time to open a support ticket. Because everything you changed sounds right, it should work.

I'm not sure what you mean by "synchronized with Jira". I maintain all their information in Jira, and just use LDAP for authentication. There is no synchronizing that I know of. But yes, I have created a support ticket.

> Jira simply tries to bind to the LDAP with the credentials the user provided on the login page. If that succeeds, the user is authenticated. If not, the user is rejected.

That's not quite true. JIRA will bind to LDAP using the bind user you give as a param, search for the user using the uid=<login> filter, or whatever attribute you give. Then when it has the full DN for the user it attempts to bind with the user-provided password.


Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Oct 16, 2018 in Jira

Looking for anyone who made the switch to Data Center

The Jira Marketing team is putting together an ebook on migrating to Data Center. We're looking for pro tips on how you staffed your project team and organized your Proof of Concept. Share yo...

1,390 views 17 10
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you