Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Does LDAP require a login account?

Leif Neve
Leif Neve December 5, 2011

I am configuring a directory to connect to LDAP for delegated authentication. The LDAP administrators tell me that this server does not allow anonymous binding. I am not clear what that implies for Jira configuration. Does that mean I must supply a username/password when I set up the configuration. Or is that unnecessary since Jira supplies a username/password when it authenticates a Jira login?

I have tried configuring the directory both with a username/password and not. If I don't configure a username/password, I get an LDAP error like this:

Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1772^@]; remaining name 'ou=ad,dc=nih,dc=gov'

If I configure the directory with a username/password, I get this LDAP error instead:

nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772^@]

I'm not sure what to try next. Thanks.

Answer
Watch
Like # people like this
47652 views

6 answers

1 accepted

4 votes
Answer accepted
Jobin Kuruvilla [Adaptavist]
Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 5, 2011

You would need a username/password and it must have proper read access on the DN configured. The username cane be of the following formats:

  • cn=administrator,cn=users,dc=ad,dc=example,dc=com
  • cn=user,dc=domain,dc=name
  • user@domain.name
View More Comments
Jobin Kuruvilla [Adaptavist]
Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 5, 2011

Also see http://confluence.atlassian.com/display/JIRA/Connecting+to+an+LDAP+Directory

Like Colin McDermott_GLiNTECH likes this
Reply
0 votes
Manse Wolken
Manse Wolken
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 6, 2011

Well,

2011-12-06 12:34:32,506 http-8443-17 anonymous 754x795x1 12jgmcq 130.14.108.26 /rest/gadget/1.0/login login : 'aalneve' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

happened to me because I forgot to give users the "View" right.

You can either have the groups:"jira-users" and "jira-administrators" created in LDAP. Or enable any other given group to Log in to jira, provided it is found by Jira in LDAP.

You can check this by loggin in with the Jira administrator go to the administrative panel and browse users. Clicking on a username should give you the groups, that the user is in.

And authenticating users:

Jira simply tries to bind to the LDAP with the credentials the user provided on the login page. If that succeeds, the user is authenticated. If not, the user is rejected.

View More Comments
Leif Neve
Leif Neve December 6, 2011

Thanks for the note. My LDAP administrators assure me that any user that can bind to LDAP has the permissions to look up secondary users. Is that what you mean? If not, since I have no authority over the the LDAP server, I have to work the Jira instead. In that case, what do you mean by "enable any other given group to log into jira"? Since all users have jira-user permission in Jira, they should be able to log in.

Like
Manse Wolken
Manse Wolken
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 6, 2011

Have you checked that your users have the "can use" permission? Take "aalneve", open the user browser in jira, search for aalneve and open the userdetails. There should be a bunch of groupmemberships displayed for that user. There should be at least the "jira-users" group listed.

Like
Leif Neve
Leif Neve December 6, 2011

Yes, I checked and aalneve is a member of the jira-users group. (BTW, every user created in Jira is automatically added to that group.)

Like
Manse Wolken
Manse Wolken
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 6, 2011

So your users are all synchronized wih Jira, the have login right and still can't login. Maybe now it is time to open a support ticket. Because everything you changed sounds right, it should work.

Like
Leif Neve
Leif Neve December 6, 2011

I'm not sure what you mean by "synchronized with Jira". I maintain all their information in Jira, and just use LDAP for authentication. There is no synchronizing that I know of. But yes, I have created a support ticket.

Like
JamieA
JamieA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 6, 2011

> Jira simply tries to bind to the LDAP with the credentials the user provided on the login page. If that succeeds, the user is authenticated. If not, the user is rejected.

That's not quite true. JIRA will bind to LDAP using the bind user you give as a param, search for the user using the uid=<login> filter, or whatever attribute you give. Then when it has the full DN for the user it attempts to bind with the user-provided password.


Like
Reply
0 votes
Leif Neve
Leif Neve December 5, 2011

I've been able to get the proper DN from the LDAP administrator and can now bind successfully. I'm still not able to authenticate *other* users, though. This is what the security log reports when user "aalneve" tries to log into Jira:

2011-12-06 12:34:32,506 http-8443-17 anonymous 754x795x1 12jgmcq 130.14.108.26 /rest/gadget/1.0/login login : 'aalneve' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2011-12-06 12:34:32,517 http-8443-17 anonymous 754x795x1 12jgmcq 130.14.108.26 /rest/gadget/1.0/login The user 'aalneve' has FAILED authentication. Failure count equals 1

I'm a little unclear how authentication happens. Does Jira send up the username and password of "aalneve" to LDAP to see if there is a match? Does the LDAP principal ("lneve", in this case) need any special privileges to allow this? The LDAP administrator assures me it has universal read access. Is that enough to authenticate users? If it makes any difference this is Microsoft Active Directory authentication.

Reply
0 votes
Robert Lauriston
Robert Lauriston
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 5, 2011

OpenLDAP is working for us in Confluence without a username or password. The key was setting LDAP Permissions to Read Only with Local Groups. We also set the Base DN, Additional User DN, AdditionalGroupDN, User Object Filter, User Name Attribute, User Name RDN Attribute, User Display Name Attribute, User Email Attribute, User Password Encryption, Group Object Class, Group Object Filter, and Use the User Membership Attribute. Other settings are all default.

Reply
0 votes
Leif Neve
Leif Neve December 5, 2011

I've been able to get the proper DN from the LDAP administrator and can now bind successfully. I'm still not able to authenticate *other* users, though. This is what the security log reports when user "aalneve" tries to log into Jira:

2011-12-06 12:34:32,506 http-8443-17 anonymous 754x795x1 12jgmcq 130.14.108.26 /rest/gadget/1.0/login login : 'aalneve' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2011-12-06 12:34:32,517 http-8443-17 anonymous 754x795x1 12jgmcq 130.14.108.26 /rest/gadget/1.0/login The user 'aalneve' has FAILED authentication. Failure count equals 1

I'm a little unclear how authentication happens. Does Jira send up the username and password of "aalneve" to LDAP to see if there is a match? Does the LDAP principal ("lneve", in this case) need any special privileges to allow this? The LDAP administrator assures me it has universal read access. Is that enough to authenticate users?

Reply
0 votes
Manse Wolken
Manse Wolken
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 5, 2011

Hello,

your LDAP administrators have configured the ldap server to accept search requests only if it comes from a valid user. Thus you have to authenticate.

I think they gave you a user DN and the password for this user like:

uid=loginname,ou=users,dc=foo,dc=bar

just typing the loginname in the ldap userdn field won't help, you need a dn (your ldap administrators can provide you with this).

And: Make sure you use the correct connection to the ldap server. It can happen that the server listens on port 383 (non encrypted) and on port 636 (encrypted). Some LDAP servers listen on both but acctept vald connections only on the encrypted port.

If possible, ask one LDAP administrator to lake a look at your configuration.

Best regards,

Manse Wolken

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events