Some users unable to login after upgrading JIRA

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。

問題

  1. After upgrading from JIRA 6.1.7 to JIRA 6.4.7 , some users are unable to login.
  2. The following appears in the atlassian-jira.log

    2015-07-10 09:23:33,039 http-bio-4443-exec-3 anonymous 563x2792x1 1ipni8u 163.187.166.71 /login.jsp The user 'xxxxx' has FAILED authentication. Failure count equals 1
    2015-07-10 09:23:47,551 http-bio-4443-exec-25 anonymous 563x2795x1 1ipni8u 163.187.166.71 /login.jsp login : 'xxxxx' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
    2015-07-10 09:23:47,585 http-bio-4443-exec-25 anonymous 563x2795x1 1ipni8u 163.187.166.71 /login.jsp The user 'xxxxx' has FAILED authentication. Failure count equals 2
  3. Using delegated authentication ( Copy User on Login )
  4. Found more errors from the atlassian-jira.log

2015-07-07 16:34:47,667 http-bio-4443-exec-19 INFO anonymous 973x768x7 1wkrh1r 163.187.166.71 /login.jsp [crowd.directory.ldap.SpringLdapTemplateWrapper] Timed call for search using searchexecutor com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$11@277930e0 took 1261594ms
2015-07-07 16:34:47,667 http-bio-4443-exec-19 ERROR anonymous 973x768x7 1wkrh1r 163.187.166.71 /login.jsp [crowd.manager.application.ApplicationServiceGeneric] Directory 'XXX LDAP Authentication' is not functional during authentication of 'xxxxx'. Skipped.
2015-07-07 16:34:47,668 http-bio-4443-exec-19 ERROR anonymous 973x768x7 1wkrh1r 163.187.166.71 /login.jsp [jira.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'xxxxx'.
com.atlassian.crowd.exception.runtime.OperationFailedException
	at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:915)
	at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:80)
...
Caused by: org.springframework.ldap.ServiceUnavailableException: ldap.xxx.com:636; socket closed; nested exception is javax.naming.ServiceUnavailableException: ldap.xxx.com:636; socket closed; remaining name 'o=xxx,c=an'

診断

診断ステップ

  • Enable DEBUG for the package below via Logging and Profiling:

    com.atlassian.jira.login 
    com.atlassian.jira.login.security
    com.atlassian.crowd.directory.SpringLDAPConnector
    com.atlassian.crowd.embedded.atlassianuser.EmbeddedCrowdAuthenticator
    org.springframework.ldap.core
    com.atlassian.crowd.embedded
    com.atlassian.crowd.directory
    com.sun.jndi.ldap
  • We can see that it appears to be doing a lookup on entryUUID
Performing user search: baseDN = o=xxx,c=an - filter = (&(objectclass=inetorgperson)(alias=xxxxx))
2015-07-15 13:39:40,920 http-bio-4443-exec-17 DEBUG anonymous 819x11718x4 - 163.187.166.71 /rest/gadget/1.0/login [ldap.core.support.AbstractContextSource] Got Ldap context on server 'ldaps://ldap.xxx.com:636'
2015-07-15 13:39:40,942 http-bio-4443-exec-17 INFO anonymous 819x11718x4 - 163.187.166.71 /rest/gadget/1.0/login [crowd.directory.ldap.SpringLdapTemplateWrapper] Timed call for search using searchexecutor com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$11@10181307 took 3365ms
2015-07-15 13:39:40,942 http-bio-4443-exec-17 DEBUG anonymous 819x11718x4 - 163.187.166.71 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Authenticating user 'xxxxx' with DN 'cn=xxxxx xxxxx  452099,ou=employee,o=xxx,c=an'
...
2015-07-15 13:39:41,162 http-bio-4443-exec-17 DEBUG anonymous 819x11718x4 - 163.187.166.71 /rest/gadget/1.0/login [atlassian.crowd.directory.SpringLDAPConnector] Performing user search: baseDN = o=xxx,c=an - filter = (&(objectclass=inetorgperson)(entryUUID=xxxxx-20081117))

原因

  • This is configured in the User Directory configuration. 
  "ldap.external.id": "entryUUID"
  • It's the User Unique ID Attribute as per Connecting to an LDAP Directory. This was added in JIRA 6.2 according to the documentations :
    This should normally point to a UUID value. Standards-compliant LDAP servers will implement this as 'entryUUID' according to RFC 4530. This setting exists because it is known under different names on some servers, e.g. 'objectGUID' in Microsoft Active Directory.
  •  According to the RFC 4530 this is supposed to be an available attribute within directory servers, and Sun One has documentation on it here : https://docs.oracle.com/cd/E19623-01/820-6173/def-entry-uuid.html.

ソリューション

  1. Identify the appropriate unique identifier to set instead of the current value, or remove it from the directory configuration.
    Example : Change the entryUUID with uid in the directory definition.
Last modified on Mar 30, 2016

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.