Local Users Can't Log in, but LDAP Users Can after Upgrade to v4.3
Symptoms
When using LDAP in JIRA v4.2 or earlier with a mixture of LDAP authenticated users and locally authenticated users, after upgrade to JIRA v4.3.0, the LDAP users can log in, but local users are no longer able to log in.
Cause
During upgrade to v4.3 all users are migrated to the "LDAP Authentication" user Directory. Only users in the "Internal Directory" can log in through a local password, but no users are in here. See JRA-23858
Prevention
Do not upgrade to v4.3.0 if using mixed authentication, LDAP and local. Instead, wait for v4.3.1 which will migrate the users into two separate directories.
Note that if you have already upgraded to v4.3, then simply upgrading from there to v4.3.1 will NOT help because the relevant upgrade tasks will have already been run in v4.3.
Resolution
If you have already done this and cannot revert, there are two options
Option 1: Move to a "full" LDAP directory
The old OSUser LDAP support only used LDAP for password authentication, so this move is beneficial to many organisations anyway.
- Set up an LDAP (or Microsoft AD) User Directory and then disable the "LDAP-auth" directory.
- Manually add the local users back in after you disable the "LDAP-auth" directory.
Option 2: Add local users to LDAP
If you set up accounts in the LDAP server for the "missing" users, then they will be able to log in.
Option 3: Move the users directory via SQL
This is possible but difficult and risky
Note that if you were to do this then you need to restart JIRA in order to refresh the user caches.
Option 4: Delete the users from "LDAP-auth" directory and add them to Internal Directory
It is highly likely that JIRA will not let you delete these users (eg if they have reported bugs or are assignees), in which case you would need to delete directly from the DB with SQL.
Also note that JIRA currently will only add users to the first writable directory, so you will need to temporarily move the Internal Directory to the top to add the users.