I No Longer Have Admin Access After Adding LDAP User Directory (Active Directory)

Zebadiah Ramos October 11, 2017

Hello!

My JIRA admin account no longer has administrative access to JIRA after I set up Active Directory as the primary user directory.  Here's a little more information about my setup:

  • Locally installed on Windows Server 2012.
  • Using MSSQL as my database.
  • Wanted to integrate Active Directory with our JIRA instance for authentication. 
  • Authentication works, but my account (which I gave administrator access to when I started the implementation) as well as the sysadmin account no longer have admin access.

I used a query to pull users belonging to the "Jira-Administrators" group, and sysadmin is no longer listed as a member of that group. My account IS listed as a member of the "JIRA-Administrators" group, but all I'm showing access to is the customer portal I had set up.

Please let me know if more information is needed, and thank you for your help ahead of time!

1 answer

0 votes
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 12, 2017

Typically this happens because the username you have in Jira exists in two different user directories.  And the addition of a new user directory (if that is ordered higher than the previous directory) will result in your account authenticating to this new directory instead.  This has some expected changes that take place.  For example, group memberships of your account can be different after this kind of change.   Jira does not aggregate the group memberships of your account when that account exists in multiple user directories.   It is my understanding that Confluence can do that, but Jira does not.  In Jira, the memberships your account has are expected to be restricted to the groups that exist in that directory (the major exception to this is if you're using the Read Only with Local groups option in the User directory setup of Jira, in which case your LDAP user can be a member of a local group in the Jira internal user directory).  Jira determines system admin and Jira admin roles based on the specific group membership your account has.  


To better understand your environment, I'd recommend running the following SQL queries against your database:

select group_id from globalpermissionentry where PERMISSION='SYSTEM_ADMIN';

This tells us what groups are granting system admin rights in Jira.  By default this is at least 'jira-administrators' however this can be customized to be different group names, or multiple groups.   With this information you would then possible substitute the group names in the next query:

select child_name, directory_id from cwd_membership where parent_name='jira-administrators';


This will provide the user accounts that exist in the group name we provide, and it also tells us what directory_id that account is in (which I think is very important in this case).

We would then also want to see if perhaps you have duplicate group names between these user directories.  Which I think might be causing the confusion here:

select group_name, directory_id from cwd_group where group_name='jira-administrators';


You might need to change the group_name at the end of this query to match the group name that is setup for your Jira system admins in your environment.

Last step is to run a query such as

select * from cwd_directory;


This just tells us the name, type, and id number for each user directory in Jira.  

I suspect that the LDAP account in question is not actually a member of group that is granting the system admin rights.  It is possible that the Internal Jira user account by the same name is a member of that group, but if the LDAP directory is ordered above the internal directory, that user is not expected to get all the memberships the internal user account with the same name has.

I hope this helps.

Zebadiah Ramos October 17, 2017

Hello Andrew!

 

Thank you for the help! I've attached a screenshot of the output from 

select group_name, directory_id from cwd_group where group_name='jira-administrators';

with "Select * from cwd_directory" as the last step.

Jira2.PNG

It definitely looks like you are correct, all the "Admin" level groups are within directory_id 1, while my Active Directory servers are showing as directories 10000 and 10001. 

 

What's the best way to correct this while using Active Directory as our main form of authentication? 

 

Also, if we're using Active Directory for authentication will this still allow external customers access to our Customer Channel/Portal?

 

Please let me know if more information is needed, and thank you for your time!

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 17, 2017

You don't need to worry about customer portal access.  As long as the user has an account in jira, they don't need to be members of any group to access the customer portal site.

 

But in regards to the loss of Admin rights, there are two different ways to manage this:

  1. Create a group in LDAP/AD that contains these users that should be admins, then sync this group over in Jira, and grant that group administration access.  You can adjust which groups have admin access by following the steps in Managing global permissions.  If you go this route, I'd recommend using different group names such as 'jira-admin-ldap' or something along those lines to keep it clear where this group comes from.
  2. The alternative is to edit the user directory in Jira to use the option "Read only with local groups".  This option would allow you to put these LDAP users in Jira into local groups such as the 'jira-administrators' group that exists in the local user directory.

Either way can work here, it really comes down to a question of where you do want to manage this permission:  In LDAP (Option 1)? or directly in Jira itself (Option 2)?   I think that most enterprise customers prefer option 1 to manage this because when new users come and go in the environment, it's one less thing you have to change in Jira directly.   However some environments that might have really strict LDAP requirements might not be able to change these easily.  In those cases the read only with local groups allow the Jira admins themselves to manage this permission.

Zebadiah Ramos October 17, 2017

Great advice, thanks, Andrew!

Suggest an answer

Log in or Sign up to answer