Group memberships not updating after sync with external LDAP in Jira server

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.

Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Symptoms

  1. A user is a member of a group or groups that come from an Active Directory/LDAP server. After JIRA synchronises with Active Directory/LDAP, the group membership is not updated for certain or all groups for that user or users.
  2. Sync does not remove user from a group after the removal in LDAP.
  3. In the JIRA database, the following SQL can be used to verify if the customer contains groups that come from the Active Directory/LDAP server have been marked as local (cwd_group.local = 1). If so, it is likely this is why they are not synchronising.
    (info) There may be JIRA groups that are correctly marked as local as they were created in JIRA. For example, jira-users.
    (info) One of the reasons for marking the group as local(incorrectly) could be this bug - JSWSERVER-21352

Replace the <user name> with the user that is not synchronising with their groups. Compare the list returned with the group membership in Active Directory/LDAP. As it is possible to have multiple User Directories, multiple users with the same user name (child_name) may be returned. Please check the directory_name to ensure you're referring to the correct one.

SELECT m.parent_id, m.parent_name, m.child_name, m.directory_id, d.directory_name, d.active, g.local 
FROM cwd_membership m
JOIN cwd_directory d ON m.directory_id = d.id
JOIN cwd_group g ON g.lower_group_name = m.lower_parent_name and g.directory_id = m.directory_id
WHERE child_name='<user name>'

Cause

  1. The group membership is not synchronising as the group has been marked as a JIRA local group within the database (cwd_group.local = 1)
  2. User or group id is mismatched between cwd_user/cwd_group and cwd_membership tables. This is most likely caused by JRASERVER-70690

Resolution

Cause 1:

Always back up your data before performing any modifications to the database. If possible, test any alter, insert, update, or delete SQL commands on a staging server first.

  1. Shutdown JIRA.

  2. Run the following SQL on the JIRA database:

    UPDATE cwd_group SET local = 0 WHERE ID = <parent ID from the above SQL>
  3. Restart JIRA.
  4. Synchronise the User Directory.

(info) If you are unsure about what to do, please raise a support request on support.atlassian.com.

Cause 2:

If you are not using local groups, recreate the user directory to repopulate the tables with the correct IDs.

If you do have local groups in this user directory, we'll need to follow the workaround in JRASERVER-70690 to update the cwd_membership table and fix the user/group ids (child_id/parent_id).

Last modified on Mar 6, 2025

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.