Some users unable to login after upgrading JIRA
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products will end after February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
- After upgrading from JIRA 6.1.7 to JIRA 6.4.7 , some users are unable to login.
The following appears in the atlassian-jira
2015-07-10 09:23:33,039 http-bio-4443-exec-3 anonymous 563x2792x1 1ipni8u 184.108.40.206 /login.jsp The user 'xxxxx' has FAILED authentication. Failure count equals 1 2015-07-10 09:23:47,551 http-bio-4443-exec-25 anonymous 563x2795x1 1ipni8u 220.127.116.11 /login.jsp login : 'xxxxx' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie. 2015-07-10 09:23:47,585 http-bio-4443-exec-25 anonymous 563x2795x1 1ipni8u 18.104.22.168 /login.jsp The user 'xxxxx' has FAILED authentication. Failure count equals 2
- Using delegated authentication ( Copy User on Login )
Found more errors from the atlassian-jira
2015-07-07 16:34:47,667 http-bio-4443-exec-19 INFO anonymous 973x768x7 1wkrh1r 22.214.171.124 /login.jsp [crowd.directory.ldap.SpringLdapTemplateWrapper] Timed call for search using searchexecutor com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$11@277930e0 took 1261594ms 2015-07-07 16:34:47,667 http-bio-4443-exec-19 ERROR anonymous 973x768x7 1wkrh1r 126.96.36.199 /login.jsp [crowd.manager.application.ApplicationServiceGeneric] Directory 'XXX LDAP Authentication' is not functional during authentication of 'xxxxx'. Skipped. 2015-07-07 16:34:47,668 http-bio-4443-exec-19 ERROR anonymous 973x768x7 1wkrh1r 188.8.131.52 /login.jsp [jira.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'xxxxx'. com.atlassian.crowd.exception.runtime.OperationFailedException at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:915) at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:80) ... Caused by: org.springframework.ldap.ServiceUnavailableException: ldap.xxx.com:636; socket closed; nested exception is javax.naming.ServiceUnavailableException: ldap.xxx.com:636; socket closed; remaining name 'o=xxx,c=an'
Enable DEBUG for the package below via Logging and Profiling:
com.atlassian.jira.login com.atlassian.jira.login.security com.atlassian.crowd.directory.SpringLDAPConnector com.atlassian.crowd.embedded.atlassianuser.EmbeddedCrowdAuthenticator org.springframework.ldap.core com.atlassian.crowd.embedded com.atlassian.crowd.directory com.sun.jndi.ldap
- We can see that it appears to be doing a lookup on entryUUID
Performing user search: baseDN = o=xxx,c=an - filter = (&(objectclass=inetorgperson)(alias=xxxxx)) 2015-07-15 13:39:40,920 http-bio-4443-exec-17 DEBUG anonymous 819x11718x4 - 184.108.40.206 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldaps://ldap.xxx.com:636' 2015-07-15 13:39:40,942 http-bio-4443-exec-17 INFO anonymous 819x11718x4 - 220.127.116.11 /rest/gadget/1.0/login [crowd.directory.ldap.SpringLdapTemplateWrapper] Timed call for search using searchexecutor com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$11@10181307 took 3365ms 2015-07-15 13:39:40,942 http-bio-4443-exec-17 DEBUG anonymous 819x11718x4 - 18.104.22.168 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Authenticating user 'xxxxx' with DN 'cn=xxxxx xxxxx 452099,ou=employee,o=xxx,c=an' ... 2015-07-15 13:39:41,162 http-bio-4443-exec-17 DEBUG anonymous 819x11718x4 - 22.214.171.124 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Performing user search: baseDN = o=xxx,c=an - filter = (&(objectclass=inetorgperson)(entryUUID=xxxxx-20081117))
- This is configured in the User Directory configuration.
- It's the User Unique ID Attribute as per Connecting to an LDAP Directory. This was added in JIRA 6.2 according to the documentations :
This should normally point to a UUID value. Standards-compliant LDAP servers will implement this as 'entryUUID' according to RFC 4530. This setting exists because it is known under different names on some servers, e.g. 'objectGUID' in Microsoft Active Directory.
- According to the RFC 4530 this is supposed to be an available attribute within directory servers, and Sun One has documentation on it here : https://docs.oracle.com/cd/E19623-01/820-6173/def-entry-uuid.html.
- Identify the appropriate unique identifier to set instead of the current value, or remove it from the directory configuration.
Example : Change the
uidin the directory definition.