Users not able to log into JIRA using LDAP Connector AD.

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Symptoms

Users not able to log into JIRA using LDAP Connector AD.

The following appears in the atlassian-jira.log:

/rest/gadget/1.0/login [crowd.manager.application.ApplicationServiceGeneric] Directory 'directory_name' is not functional during authentication of 'user_name'. Skipped.

/rest/gadget/1.0/login [jira.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'user_name'.
com.atlassian.crowd.exception.runtime.OperationFailedException
...

	at java.lang.Thread.run(Unknown Source)

Caused by: org.springframework.ldap.PartialResultException: nested 
exception is javax.naming.PartialResultException [Root exception is javax.naming.NamingException: LDAP response read timed out, timeout used:120000ms. [Root exception is com.sun.jndi.ldap.LdapReferralException: Continuation Reference; remaining name 'DC=generic,DC=com']; remaining name '']

Diagnosis

Please verify the problem by referring to this  article to ensure its was not caused by the 'Follow Referral' option: LDAP user unable to login into JIRA due to "LDAP response read timed out"

If not, please proceed the resolution below.

Cause

Based on this error we can assume two different problems:

Cause 1

We can see this information on the logs "PartialResultException". This means that JIRA could not retrieve the whole list of objects from LDAP due to not being able to follow the referral. This might happen when you have sub-domains under the base DN (currently we only support single domains) or if you have DNS issues.

Cause 2

Since your base DN is set as 'DC=generic,DC=com', all objects of your LDAP tree will be checked and depending on how big is your LDAP it might exceed the limitations on connecting JIRA to LDAP

Resolution

To solve this you have two options (one to each of the problems above):

For Cause 1
  • Either specify a different base DN to restrict the search results to a single domain, or disable the referral. 
    • To disable the referral, you can change LDAP port to global catalog port on 3268 instead of 389.
For Cause 2
  • Check if your search results are greater than 10000 (ten thousand) users, 1000 (one thousand) groups, and 20 (twenty) groups per user.
    • Reduce the scope by either specifying a more restrict base DN or writing a search filter to return only specific users and groups (you can find more information on how to write search filters on this link.
    • In case you need to configure JIRA to authenticate against more than 10000 users, instead of the Connector directory, you can use Internal with LDAP authentication.

(info) Please see our Troubleshooting LDAP User Management documentation for further assistance with diagnosing LDAP problems.

Last modified on Jun 27, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.