MS Active Directory Group Membership not updating

We have the Jira instance integrated with Microsoft Active Directory (Read Only, with Local Groups).

When we added a new member to a group Active Directory, Jira did not refresh the list of members from that group.

We tried a manual sync, but don't work. 

No errors in the logs.

We use JIRA v6.3.4a

 

2 answers

So the full sync didn't work ? That's quite mysterious as it should clear all the users and memberships and recreate if from scratch. 

Actually in JIRA 6.3.5 the AD synchronisation was reworked, maybe it's worth to check this out.  See this: https://jira.atlassian.com/browse/JRA-26458

I have the following 3 AD groups and JIRA shows number of users 15, 43 and 8 respectively .

JIRA Users

JIRA Developers

JIRA Admins

However in AD we got 42, 42 and 7 respectively.

No errors in the log:

2015-02-05 16:57:05,940 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteDirectory] synchronisation for directory [ 10002 ] starting
2015-02-05 16:57:06,002 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [directory.ldap.cache.UsnChangedCacheRefresher] found [ 31 ] changed remote users in [ 62ms ]
2015-02-05 16:57:06,002 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [directory.ldap.cache.UsnChangedCacheRefresher] scanned and compared [ 0 ] users for delete in DB cache in [ 0ms ]
2015-02-05 16:57:06,002 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] deleting [ 0 ] users
2015-02-05 16:57:06,002 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] deleted [ 0 ] users in [ 0ms ]
2015-02-05 16:57:06,002 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] scanning [ 31 ] users to add or update
2015-02-05 16:57:06,002 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DirectoryCacheImplUsingChangeOperations] scanned and compared [ 31 ] users for update in DB cache in [ 0ms ]
2015-02-05 16:57:06,002 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] updating [ 27 ] users
2015-02-05 16:57:06,580 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] updated [ 27 ] users in [ 578ms ]
2015-02-05 16:57:06,580 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DirectoryCacheImplUsingChangeOperations] synchronised [ 31 ] users in [ 578ms ]
2015-02-05 16:57:06,627 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [directory.ldap.cache.UsnChangedCacheRefresher] found [ 0 ] changed remote groups in [ 47ms ]
2015-02-05 16:57:06,627 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DirectoryCacheImplUsingChangeOperations] scanning [ 0 ] groups to add or update
2015-02-05 16:57:06,627 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] scanned and compared [ 0 ] groups for update in DB cache in [ 0ms ]
2015-02-05 16:57:06,627 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DirectoryCacheImplUsingChangeOperations] synchronized [ 0 ] groups in [ 0ms ]
2015-02-05 16:57:06,643 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [directory.ldap.cache.UsnChangedCacheRefresher] scanned and compared [ 0 ] groups for delete in DB cache in [ 0ms ]
2015-02-05 16:57:06,643 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] removing [ 0 ] groups
2015-02-05 16:57:06,643 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] removed [ 0 ] groups in [ 0ms ]
2015-02-05 16:57:06,643 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteDirectory] INCREMENTAL synchronisation complete for directory [ 10002 ] in [ 703ms ]

And here is my settings:

Directory ID: 10002
Name: FMGAD1
Active: true
Type: CONNECTOR
Created date: Thu Sep 04 11:57:40 EDT 2014
Updated date: Thu Feb 05 16:57:06 EST 2015
Allowed operations: [CREATE_GROUP, DELETE_GROUP, UPDATE_GROUP, UPDATE_GROUP_ATTRIBUTE, UPDATE_USER_ATTRIBUTE]
Implementation class: com.atlassian.crowd.directory.MicrosoftActiveDirectory
Encryption type: sha
Attributes: 
    "autoAddGroups": "Jira Users"
    "com.atlassian.crowd.directory.sync.currentstartsynctime": "null"
    "com.atlassian.crowd.directory.sync.issynchronising": "false"
    "com.atlassian.crowd.directory.sync.lastdurationms": "969"
    "com.atlassian.crowd.directory.sync.laststartsynctime": "1423173425674"
    "crowd.sync.incremental.enabled": "true"
    "directory.cache.synchronise.interval": "300"
    "ldap.basedn": "dc=mycompany,dc=local"
    "ldap.connection.timeout": "10000"
    "ldap.external.id": "objectGUID"
    "ldap.group.description": "description"
    "ldap.group.dn": ""
    "ldap.group.filter": "(&(objectClass=group)(&(cn=jira*)))"
    "ldap.group.name": "cn"
    "ldap.group.objectclass": "group"
    "ldap.group.usernames": "member"
    "ldap.local.groups": "true"
    "ldap.nestedgroups.disabled": "true"
    "ldap.pagedresults": "true"
    "ldap.pagedresults.size": "1000"
    "ldap.password": ********
    "ldap.pool.initsize": "null"
    "ldap.pool.maxsize": "null"
    "ldap.pool.prefsize": "null"
    "ldap.pool.timeout": "0"
    "ldap.propogate.changes": "false"
    "ldap.read.timeout": "120000"
    "ldap.referral": "true"
    "ldap.relaxed.dn.standardisation": "true"
    "ldap.roles.disabled": "true"
    "ldap.search.timelimit": "60000"
    "ldap.secure": "false"
    "ldap.url": "ldap://fmgad1.mycompany.local:389"
    "ldap.user.displayname": "displayName"
    "ldap.user.dn": ""
    "ldap.user.email": "mail"
    "ldap.user.encryption": "sha"
    "ldap.user.filter": "(&(objectCategory=Person)(sAMAccountName=*))"
    "ldap.user.firstname": "givenName"
    "ldap.user.group": "memberOf"
    "ldap.user.lastname": "sn"
    "ldap.user.objectclass": "user"
    "ldap.user.password": "unicodePwd"
    "ldap.user.username": "sAMAccountName"
    "ldap.user.username.rdn": "cn"
    "ldap.userdn": "jirasrv@mycompany.local"
    "ldap.usermembership.use": "false"
    "ldap.usermembership.use.for.groups": "false"
    "localUserStatusEnabled": "false"

 

 

You might want to check if all conditions for incremental sync to work properly are met, see here: https://confluence.atlassian.com/display/JIRA063/Connecting+to+an+LDAP+Directory under "Enable Incremental Synchronisation" Also, check if disabling the incremental sync in directory properties helps (alternatively disable and enable this directory or simply restart jira, it's all the same). There should be "Full synchronisation completed successfully" in the logs. If the incremental synchronization turns out to be a problem I strongly suggest checking out JIRA 6.3.5 or newer.

I disabled incremental sync and members are still not added. 


2015-02-06 09:36:51,871 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteDirectory] synchronisation for directory [ 10002 ] starting
2015-02-06 09:36:51,981 CrowdUsnChangedCacheRefresher:thread-2 INFO ServiceRunner     [directory.ldap.cache.UsnChangedCacheRefresher] found [ 3 ] remote groups in [ 110ms ]
2015-02-06 09:37:22,404 CrowdUsnChangedCacheRefresher:thread-1 INFO ServiceRunner     [directory.ldap.cache.UsnChangedCacheRefresher] found [ 5730 ] remote users in [ 30533ms ]
2015-02-06 09:37:22,591 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] scanned and compared [ 5730 ] users for delete in DB cache in [ 172ms ]
2015-02-06 09:37:22,591 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] scanned for deleted users in [ 172ms ]
2015-02-06 09:37:22,591 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] scanning [ 5730 ] users to add or update
2015-02-06 09:37:22,607 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DirectoryCacheImplUsingChangeOperations] scanned and compared [ 5730 ] users for update in DB cache in [ 16ms ]
2015-02-06 09:37:22,607 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] updating [ 7 ] users
2015-02-06 09:37:23,185 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] updated [ 7 ] users in [ 578ms ]
2015-02-06 09:37:23,185 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DirectoryCacheImplUsingChangeOperations] synchronised [ 5730 ] users in [ 594ms ]
2015-02-06 09:37:23,185 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DirectoryCacheImplUsingChangeOperations] scanning [ 3 ] groups to add or update
2015-02-06 09:37:23,232 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] scanned and compared [ 3 ] groups for update in DB cache in [ 47ms ]
2015-02-06 09:37:23,232 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DirectoryCacheImplUsingChangeOperations] synchronized [ 3 ] groups in [ 47ms ]
2015-02-06 09:37:23,232 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] scanned and compared [ 3 ] groups for delete in DB cache in [ 0ms ]
2015-02-06 09:37:23,544 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteChangeOperations] removed [ 1 ] user members from [ Jira Developers ] in [ 281ms ]
2015-02-06 09:37:23,544 atlassian-scheduler-quartz1.clustered_Worker-2 INFO ServiceRunner     [atlassian.crowd.directory.DbCachingRemoteDirectory] FULL synchronisation complete for directory [ 10002 ] in [ 31673ms ]


From the log at hand - I don't know, ask support maybe ? Maybe turn the debug logging on for crowd, but it will be huge.

There was a local group with the same name as a local group. Since there is an existing local group, the group membership of the AD group is not being pulled. Even after deleting the local group, the AD group membership is still not updated because each membership per user on that group is saved in JIRA and is tagged as "local" (cwd_group.local = 1). More details on the issue:https://confluence.atlassian.com/display/JIRAKB/Membership+For+Group+Is+Not+Updated+After+Synchronisation

 

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Julia Dillon
Posted Apr 17, 2018 in Jira

Tell us how your team runs on Jira!

Hey Atlassian Community! Today we are launching a bunch of customer stories about the amazing work teams, like Dropbox and Twilio, are doing with Jira. You can check out the stories here. The thi...

770 views 2 19
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you