User lookup fails with PartialResultException in Jira server

Still need help?

The Atlassian Community is here for you.

Ask the community

Problem

Accessing LDAP, such as searching for users in JIRA applications, Confluence or Crowd (with AD integrated) fails with the exception below:

Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.example.net:389 
[Root exception is java.net.ConnectException: Connection refused: connect]]

Other root exceptions can be:

  • javax.naming.PartialResultException
  • java.net.UnknownHostException

Description

Active Directory servers are integrated with DNS, and modify entries in the DNS server. They refer to themselves in the root of their LDAP tree. If the JIRA application (or Crowd, or Confluence) server is pointed to the root of the LDAP tree, and "follow referrals" is turned on (which is the default), then:

  1. The application will search for users.
  2. AD server will respond with users and the referral that's in the root of the LDAP tree, because there could be more users over there.
  3. The application  will follow the referral. This will result in:.
    1. A DNS lookup of the base DN ( dc=example,dc=com means a lookup for example.com)
    2. A connection to port 389 or 636 at example.com, which is back to the same server.
  4. The JIRA application will continue and read the rest of the objects in the domain as normal.

Diagnosis

To check if this is the case,

  1. Turn off 'Follow Referrals' in the 'Advanced Settings' section of your User Directory configuration.
  2. Connect to the root DN of your LDAP server.
  3. If no errors show in the logs, then it's a DNS error.

Cause

JIRA applications, Crowd or Confluence can't perform a DNS lookup on the referral in the AD server root. Problems like this are most commonly caused by the server that the JIRA application is running on not having the same DNS server as the Active Directory server.

Resolution

Fixing a DNS Configuration Issue

  1. Configure the server that the JIRA application is running on to use the DNS server that the Active Directory server is integrated with.
  2. Double check if the DNS server address has been changed recently. Since DNS server record the JIRA applications information, please delete the JIRA application address information from the DNS server to resolve the issue.
  3. If this is not possible, disable 'Follow Referrals'.
tip/resting Created with Sketch.

What are the implications of disabling 'Follow Referrals'?

  • If you only have one domain, there should be no adverse effects.
  • If you have multiple domains joined in a Forest, then any cross-domain memberships will not be resolved.
  • If you must have cross-domain memberships and you can't fix the DNS issues, then you can point JIRA at your Global Catalog. This is read-only, but it does contain all users, groups, and memberships from across your Forest. Talk to your AD admin for Global Catalog connection details.
Last modified on Sep 25, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.