Crowd user authentication fails with 'Directory 'X' is not functional during authentication' error
Problem
Users are unable to authenticate and the following appears in the atlassian-crowd.log
:
2013-07-11 18:22:14,227 http-8495-5 ERROR [crowd.manager.application.ApplicationServiceGeneric] Directory 'example directory' is not functional during authentication of 'example user'. Skipped.
2016-07-14 18:51:14,893 http-bio-80-exec-22 ERROR anonymous 1130x260x2 zvck2 10.14.149.99 /login.jsp [jira.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'example user'.
com.atlassian.crowd.exception.runtime.OperationFailedException
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:922)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:81)
at com.atlassian.crowd.embedded.core.DelegatingCrowdService.authenticate(DelegatingCrowdService.java:37)
at com.atlassian.crowd.embedded.core.FilteredCrowdServiceImpl.authenticate(FilteredCrowdServiceImpl.java:51)
at com.atlassian.jira.security.login.JiraSeraphAuthenticator.crowdServiceAuthenticate(JiraSeraphAuthenticator.java:91)
at com.atlassian.jira.security.login.JiraSeraphAuthenticator.authenticate(JiraSeraphAuthenticator.java:55)
...
Caused by: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: ExampleDNS.come.ad:389 [Root exception is java.net.ConnectException: Connection timed out: connect]]
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:216)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:385)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:309)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$4.timedCall(SpringLdapTemplateWrapper.java:198)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$4.timedCall(SpringLdapTemplateWrapper.java:195)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.invokeWithContextClassLoader(SpringLdapTemplateWrapper.java:89)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.search(SpringLdapTemplateWrapper.java:195)
at com.atlassian.crowd.directory.SpringLDAPConnector.pageSearchResults(SpringLDAPConnector.java:405)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntitiesWithRequestControls(SpringLDAPConnector.java:476)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntities(SpringLDAPConnector.java:459)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchUserObjects(SpringLDAPConnector.java:679)
at com.atlassian.crowd.directory.SpringLDAPConnector.findUserWithAttributesByName(SpringLDAPConnector.java:628)
at com.atlassian.crowd.directory.SpringLDAPConnector.findUserByName(SpringLDAPConnector.java:614)
at com.atlassian.crowd.directory.SpringLDAPConnector.authenticate(SpringLDAPConnector.java:1098)
at com.atlassian.crowd.directory.DelegatedAuthenticationDirectory.authenticateAndUpdateOrCreate(DelegatedAuthenticationDirectory.java:216)
at com.atlassian.crowd.directory.DelegatedAuthenticationDirectory.authenticate(DelegatedAuthenticationDirectory.java:186)
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:283)
at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:194)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:69)
... 94 more
Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: ExampleDNS.come.ad:389 [Root exception is java.net.ConnectException: Connection timed out: connect]]
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:365)
... 112 more
Caused by: javax.naming.CommunicationException: DomainDnsZones.corp.ad.cginet:389 [Root exception is java.net.ConnectException: Connection timed out: connect]
at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:150)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:325)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227)
... 114 more
Caused by: java.net.ConnectException: Connection timed out: connect
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
Cause
This occurs when a OperationFailedException
is thrown when attempting to authenticate as a user. This typically is thrown when executing an operation on the remote directory failed for some reason. For example:
- General network errors (e.g.: unable to route to the server due to DNS, firewall, slow network speeds)
- The external user directory is offline
- The external user directory is unreachable
- LDAP errors
- Intermittent timeouts, which can result in sporadic occurrence.
Resolution
- Double check the external user directory and ensure it is online.
- Ping the external user directory using the URL defined in Crowd and ensure Crowd can resolve it. If not, then work with your network team to correct the path. As a temporary measure, the IP address of the server housing the external user directory can be used.
- If the issue persists, add the DEBUG log level for the crowd.manager.application.ApplicationServiceGeneric package (see Logging and Profiling for detailed instructions on how to do that), and check the logs for any errors, exceptions or otherwise.
- If you're still unable to resolve the problem, contact support with the log folder with increased log levels (from #3) after the issue occurs.
Set the timeout to a large number as per Setting Properties and Options on Startup:
-Dcom.sun.jndi.ldap.connect.timeout=50000
More information about the connect timeout can be found in Oracle's Setting Timeout for Ldap Operations documentation.