Jira's Active Directory connection fails inconsistently. How can I configure Jira to make that more stable?

Kurt Bendl May 12, 2015

Jira's Active Directory connection randomly fails with errors similar to the following:

2015-05-12 15:52:03,484 http-bio-8443-exec-7 ERROR anonymous 950x104x2 10ml984 10.40.104.81,127.0.0.1 /login.jsp [crowd.manager.application.ApplicationServiceGeneric] Directory 'Active Directory server' is not functional during authentication of 'auserid'. Skipped.
2015-05-12 15:53:02,254 http-bio-8443-exec-11 ERROR anonymous 951x105x3 10ml984 10.40.104.81,0:0:0:0:0:0:0:1 /login.jsp [crowd.manager.application.ApplicationServiceGeneric] Directory 'Active Directory server' is not functional during authentication of 'auserid'. Skipped.

I can immediately do an LDAP query against AD on the same machine and get a response. So, AD is responding just fine:

$ ldapsearch -LLL -x -b "OU=Accounts,DC=example,DC=com" -h 10.10.2.2  "SAMAccountName=auserid" | grep ^uid:
uid: auserid

 

So, can Atlassian tell me what might be going on, and what can I do to get JIRA to authenticate against AD consistently?

 

Thanks,

   Kurt

4 answers

0 votes
pkirkeby
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 13, 2015

Have you tried disabling 'Follow Referrals' yet?

0 votes
pkirkeby
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 13, 2015

A couple things I'd consider:

  • Are you seeing any other errors coming from your LDAP server? Perhaps, synchronizing fails?
  • Is this happening to all users?
  • Does it happen to the same users consistently? For example, are these users able to login at one moment, but not the next?
  • Perhaps permissions aren't configured properly to allow these users access?

You can enable DEBUG logging for com.atlassian.crowd.directory which should output the actual LDAP search filter performed by JIRA during the authentication request. This would tell you if the filter is perhaps excluding the user entirely or maybe something else is wrong here.

0 votes
pkirkeby
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 13, 2015

Do you have referrals enabled in JIRAs LDAP connector?

https://confluence.atlassian.com/display/JIRAKB/User+Lookups+Fail+With+'PartialResultExceptions'+Due+to+Active+Directory+'follow+referrals'+Configuration

It looks like you might be running into the same issue as the article above.

Kurt Bendl May 14, 2015

Hi again,

Thanks for the response. Yes. "Follow Referrals" is enabled. 

I enabled debug earlier today, w\and do have data from that. Do you want me to attach it?

-kb

pkirkeby
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 14, 2015

I would recommend you try disabling 'follow referrals' and see if that makes a difference.

0 votes
Kurt Bendl May 12, 2015

Hi,

Thanks for the reply. smile

re: Other errors: Yes, I do see errors such as:

[atlassian.crowd.directory.DbCachingRemoteDirectory] failed synchronisation complete for directory [ 10000 ] in [ 10035ms ]
[com.atlassian.scheduler.JobRunnerResponse] Unable to synchronise directory
com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: example.com:389 [Root exception is java.net.SocketTimeoutException: connect timed out]]

re: Does it happen to the same users consistently? 

No. It it system-wide. Either auth works, or it doesn't. And, if I wait for a re-sync, it'll eventually just magically work, and users can log in again.

re: Perhaps permissions aren't configured properly to allow these users access?

I have an LDAP account that is in the 'jira-administrators' group, and it get's randomly locked-out, too. Although, I have an emergency account configured in a local directory, and that, of course, can auth into the system. So, permissions do not seem to make a difference.

 

The issue seems to be that the routine that syncs to LDAP will randomly fail. I have dozens of systems and apps that speak LDAP to AD, and this one seems to be the only one I have problems with. So, I can't point a finger at AD (as much as I'd like to.)  I've seen another poster that believes it may have something to do with AD behind a load balancer.  When I query for host (ds.example.com), I don't get a round-robin list, but a single IP addr. So, I'm not necessarily leaning in that direction, either. 

I'll post a chunk from my existing catalina.out for now, and do the debug thing to see what else I can come up with.

 

Suggest an answer

Log in or Sign up to answer