症状
All local JIRA Service Desk customers and agents, including local admin accounts, are not able to log into Service Desk at all. The following error is seen on-screen:
Sorry, your username and password are incorrect. Please try again.
The following generic authentication error appears in the atlassian-jira.log
:
2014-10-30 13:06:41,806 http-bio-9000-exec-3 anonymous 786x735516x1 1j5qh57 198.76.89.7,184.28.17.74,204.156.15.149,127.0.0.1 /servicedesk/customer/portal/13/user/login login : 'servicedeskcustomer' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
JIRA is configured to achieve SSO through Crowd. That is: <jira_install>/atlassian-jira/WEB-INF/classes/seraph-config.xml has the Crowd SSO authenticator enabled and the default JIRA authenticator disabled:
<!-- CROWD:START - If enabling Crowd SSO integration uncomment the following SSOSeraphAuthenticator and comment out the JiraSeraphAuthenticator below --> <authenticator class="com.atlassian.jira.security.login.SSOSeraphAuthenticator"/> <!-- CROWD:END --> <!-- CROWD:START - The authenticator below here will need to be commented out for Crowd SSO integration --> <!--authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/--> <!-- CROWD:END -->
原因
When JIRA is configured to achieve SSO through Crowd, only users from Crowd will be allowed to authenticate. Local JIRA users, including administrators, will not be able to log in unless Crowd SSO is disabled.
ソリューション
This problem cannot be resolved by having both Crowd SSO and the JIRA local (internal) directory active at the same time. The only choices are to have Crowd SSO OR the JIRA local (internal) directory, but not both.
To enable the JIRA local (internal) directory, which will disable Crowd SSO:
JIRA Service Desk Customers WILL NOT count toward your JIRA license in this scenario.
You will need to disable Crowd SSO to log in as a local user (or any other non-Crowd user, e.g. an LDAP account):
Jira をシャットダウンします。
Edit <jira_install>/atlassian-jira/WEB-INF/classes/seraph-config.xml
Uncomment the default JIRA authenticator:
<authenticator class="com.atlassian.jira.security.login.JiraSeraphAuthenticator"/>
Comment out the Crowd SSO authenticator:
<!-- <authenticator class="com.atlassian.jira.security.login.SSOSeraphAuthenticator"/> -->
Start JIRA back up
If you do not remember your local administrator username or password, please see the following documentation on how you can locate or reset its password via the database: Retrieving the JIRA Administrator
To enable Crowd SSO to allow JIRA Service Desk Customer's to login, which will disable the JIRA local (internal) directory:
The JIRA Service Desk Customer's WILL COUNT toward your Crowd licensing which will entail additional licensing costs.
In JIRA:
Make sure the connection to the crowd server has both read and write permission
Make sure the crowd server is the top most directory in the "Users Directory" section of JIRA admin
In Crowd:
Make sure the directory associated with JIRA has "Allow all to authenticate" set to true
This ensures that customers created through JIRA Service Desk are created properly in crowd and can authenticate even though they are in no groups.
注意:
Users that have already been created in the local JIRA directory will still be unable to log in while Crowd (SSO) is configured.
Sometimes, there is a short delay after creating a user where Crowd will not have synchronized it's directory with JIRA. It is possible to manually force a sync in the admin UI. During this window, users will also be unable to log in.