Some users unable to login after upgrading JIRA
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
問題
- After upgrading from JIRA 6.1.7 to JIRA 6.4.7 , some users are unable to login.
The following appears in the atlassian-jira
.log2015-07-10 09:23:33,039 http-bio-4443-exec-3 anonymous 563x2792x1 1ipni8u 163.187.166.71 /login.jsp The user 'xxxxx' has FAILED authentication. Failure count equals 1 2015-07-10 09:23:47,551 http-bio-4443-exec-25 anonymous 563x2795x1 1ipni8u 163.187.166.71 /login.jsp login : 'xxxxx' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie. 2015-07-10 09:23:47,585 http-bio-4443-exec-25 anonymous 563x2795x1 1ipni8u 163.187.166.71 /login.jsp The user 'xxxxx' has FAILED authentication. Failure count equals 2- Using delegated authentication ( Copy User on Login )
Found more errors from the atlassian-jira.log
2015-07-07 16:34:47,667 http-bio-4443-exec-19 INFO anonymous 973x768x7 1wkrh1r 163.187.166.71 /login.jsp [crowd.directory.ldap.SpringLdapTemplateWrapper] Timed call for search using searchexecutor com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$11@277930e0 took 1261594ms
2015-07-07 16:34:47,667 http-bio-4443-exec-19 ERROR anonymous 973x768x7 1wkrh1r 163.187.166.71 /login.jsp [crowd.manager.application.ApplicationServiceGeneric] Directory 'XXX LDAP Authentication' is not functional during authentication of 'xxxxx'. Skipped.
2015-07-07 16:34:47,668 http-bio-4443-exec-19 ERROR anonymous 973x768x7 1wkrh1r 163.187.166.71 /login.jsp [jira.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'xxxxx'.
com.atlassian.crowd.exception.runtime.OperationFailedException
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:915)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:80)
...
Caused by: org.springframework.ldap.ServiceUnavailableException: ldap.xxx.com:636; socket closed; nested exception is javax.naming.ServiceUnavailableException: ldap.xxx.com:636; socket closed; remaining name 'o=xxx,c=an'
診断
Diagnostic Steps
Enable DEBUG for the package below via Logging and Profiling:
com.atlassian.jira.login com.atlassian.jira.login.security com.atlassian.crowd.directory.SpringLDAPConnector com.atlassian.crowd.embedded.atlassianuser.EmbeddedCrowdAuthenticator org.springframework.ldap.core com.atlassian.crowd.embedded com.atlassian.crowd.directory com.sun.jndi.ldap
- We can see that it appears to be doing a lookup on entryUUID
Performing user search: baseDN = o=xxx,c=an - filter = (&(objectclass=inetorgperson)(alias=xxxxx))
2015-07-15 13:39:40,920 http-bio-4443-exec-17 DEBUG anonymous 819x11718x4 - 163.187.166.71 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldaps://ldap.xxx.com:636'
2015-07-15 13:39:40,942 http-bio-4443-exec-17 INFO anonymous 819x11718x4 - 163.187.166.71 /rest/gadget/1.0/login [crowd.directory.ldap.SpringLdapTemplateWrapper] Timed call for search using searchexecutor com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$11@10181307 took 3365ms
2015-07-15 13:39:40,942 http-bio-4443-exec-17 DEBUG anonymous 819x11718x4 - 163.187.166.71 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Authenticating user 'xxxxx' with DN 'cn=xxxxx xxxxx 452099,ou=employee,o=xxx,c=an'
...
2015-07-15 13:39:41,162 http-bio-4443-exec-17 DEBUG anonymous 819x11718x4 - 163.187.166.71 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Performing user search: baseDN = o=xxx,c=an - filter = (&(objectclass=inetorgperson)(entryUUID=xxxxx-20081117))原因
- This is configured in the User Directory configuration.
"ldap.external.id": "entryUUID"- It's the User Unique ID Attribute as per Connecting to an LDAP Directory. This was added in JIRA 6.2 according to the documentations :
This should normally point to a UUID value. Standards-compliant LDAP servers will implement this as 'entryUUID' according to RFC 4530. This setting exists because it is known under different names on some servers, e.g. 'objectGUID' in Microsoft Active Directory.
- According to the RFC 4530 this is supposed to be an available attribute within directory servers, and Sun One has documentation on it here : https://docs.oracle.com/cd/E19623-01/820-6173/def-entry-uuid.html.
ソリューション
- Identify the appropriate unique identifier to set instead of the current value, or remove it from the directory configuration.
Example : Change theentryUUIDwithuidin the directory definition.
Last modified on Mar 30, 2016
Powered by Confluence and Scroll Viewport.