Jira にログインできない (LDAP: エラー コード 49、データ 52e)
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Server* 製品のサポートは 2024 年 2 月 15 日をもって終了します。Server 製品を利用している場合は、Atlassian Server のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
問題
Users are unable to log in. Nothing has changed in JIRA side.
The following appears in the atlassian-jira.log:
2017-10-25 14:13:07,009 ERROR [scheduler_Worker-3] [atlassian.crowd.directory.DbCachingDirectoryPoller] pollChanges Error occurred while refreshing the cache for directory [ 31064065 ].
com.atlassian.crowd.exception.OperationFailedException: Error looking up attributes for highestCommittedUSN
at com.atlassian.crowd.directory.MicrosoftActiveDirectory.fetchHighestCommittedUSN(MicrosoftActiveDirectory.java:847)
...
Caused by: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 ]
原因
LDAP Error 49 data 52e means that the credentials of the user configured to bind LDAP directory with JIRA are incorrect, as described here: https://confluence.atlassian.com/kb/common-user-management-errors-820119309.html#CommonUserManagementErrors-ActiveDirectoryError49
This can happen when that user is either removed or has its password changed from LDAP side.
ソリューション 1
Follow the steps outlined at Restore Passwords To Recover Admin User Rights. By doing so, you'll be able to access the User Directory settings and change the "Username" field with a valid admin user or change the "Password" field with the new password, allowing JIRA to connect to LDAP.
As an alternative to Recovery Mode, you could utilize auth_fallback by following the guide: Bypass SAML authentication for Jira Data Center
ソリューション 2
Alternatively, you can run the following query against your database to find out which one is the admin account that JIRA uses to connect to the LDAP:
SELECT * FROM cwd_directory_attribute WHERE attribute_name = 'ldap.userdn';
Note: The query may return multiple results in case you have more than one User Directory in your JIRA instance.
Re-adding the user back to the LDAP with the same password should resolve the issue.
ソリューション 3
As JIRA storing LDAP Login credential in the database without encryption, you may also update those LDAP credential in your database:
lDAP Password Field
Select * from cwd_directory_attribute where attribute_name = 'ldap.password'
LDAP User Name Field
SELECT * FROM cwd_directory_attribute WHERE attribute_name = 'ldap.userdn';
attribute_value is the fields which storing those data.
Always perform a backup before you perform edit/update query in the database. It is also highly recommended for you to perform this in a test instance before proceeding with production instance.