JIRA and Confluence can authenticate users from LDAP directories, such as Microsoft's Active Directory. In fact it is common to have multiple LDAP directories configured, one after another:
Here we have two AD servers configured for redundancy – and just as well, as the first is failing.
Normally you manipulate the User Directories via the web interface, using an Internal
directory user for preference (because it is always available regardless of LDAP state). However the Internal
account won't work if:
- You've forgotten the
Internal
user password. In that case, see Resetting a user password in the database. - The
JIRA Internal Directory
is disabled - The order of directories is wrong. For instance, your
admin
user account in theJIRA Internal Directory
might not be working because there is anadmin
in a higher-precedence directory (TX-DC1
in the example above)..
Here we describe how to fix the last two scenarios with database edits.
Enabling and reordering the Internal Directory
Run the following query on the cwd_directory
table to see what's going on with directory ordering.
mysql> select id, directory_name, active, description, directory_position from cwd_directory; +-------+-------------------------+--------+---------------------------------+--------------------+ | id | directory_name | active | description | directory_position | +-------+-------------------------+--------+---------------------------------+--------------------+ | 1 | JIRA Internal Directory | 0 | JIRA default internal directory | 2 | | 10200 | TX-DC2 | 1 | NULL | 1 | | 10201 | TX-DC1 | 1 | NULL | 0 | +-------+-------------------------+--------+---------------------------------+--------------------+ 3 rows in set (0.00 sec)
In this example we have two LDAP directories configured, plus the internal directory. However notice that:
- The
active
flag is set to0
forJIRA Internal Directory
, meaning it is disabled. - The
directory_position
order (0, 1, 2) indicates thatJIRA Internal Directory
is last to be consulted, meaning ifadmin
is present in one of the two LDAPs, the password would be checked against LDAP first.
Enabling a disabled directory
If the internal directory is disabled, enable it with:
mysql> update cwd_directory set active=1 where id=1;
Reordering directories (if necessary)
To check whether admin
comes from LDAP or just the Internal directory, run:
mysql> select user_name, directory_id from cwd_user where user_name='admin'; +-----------+--------------+ | user_name | directory_id | +-----------+--------------+ | admin | 1 | +-----------+--------------+ 1 row in set (0.00 sec)
If admin
comes from multiple directories, you'll see more than one line returned. If so, run SQL to reorder the directories (if not, don't bother):
mysql> -- !!NOTE!! adapt the id refs for your system mysql> update cwd_directory set directory_position=0 where id=1; mysql> update cwd_directory set directory_position=2 where id=10201;
Then restart JIRA/Confluence for the change to take effect.