Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
6.3.12, 6.3.13, 6.3.15, 6.4.4, 6.4.6, 6.4.7, 6.4.8, 6.4.11, 8.1.0
-
6.03
-
51
-
Severity 3 - Minor
-
2
-
Description
Expected behavior
Users are able to login with LDAP password after being migrated from an Internal Directory to a Delegated LDAP, regardless of already being present in the target directory or not.
Actual behavior
Users are either presented with a 500 error on the browser when trying to login or are unable to get past the login screen at all.
In the former scenario, when expanding details of the error, the below stack trace is seen on the browser and nothing is thrown at the logs.
Cause Referer URL: http://127.0.0.1:8080/login.jsp java.lang.IllegalArgumentException: guid should be of length 32 (as encoded by getGUIDAsString) java.lang.IllegalArgumentException: guid should be of length 32 (as encoded by getGUIDAsString) at com.google.common.base.Preconditions.checkArgument(Preconditions.java:88) at com.atlassian.crowd.directory.ldap.util.GuidHelper.encodeGUIDForSearch(GuidHelper.java:59) at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.encodeValue(EqualsExternalIdFilter.java:28) at org.springframework.ldap.filter.CompareFilter.<init>(CompareFilter.java:39) at org.springframework.ldap.filter.EqualsFilter.<init>(EqualsFilter.java:40) at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.<init>(EqualsExternalIdFilter.java:15) at com.atlassian.crowd.search.ldap.ActiveDirectoryQueryTranslaterImpl.getStringTermEqualityFilter(ActiveDirectoryQueryTranslaterImpl.java:81) at com.atlassian.crowd.search.ldap.LDAPQueryTranslaterImpl.stringTermRestrictionAsFilter(LDAPQueryTranslaterImpl.java:209) at com.atlassian.crowd.search.ldap.LDAPQueryTranslaterImpl.searchRestrictionAsFilter(LDAPQueryTranslaterImpl.java:70) at com.atlassian.crowd.search.ldap.LDAPQueryTranslaterImpl.asLDAPFilter(LDAPQueryTranslaterImpl.java:40) at com.atlassian.crowd.directory.SpringLDAPConnector.searchUserObjects(SpringLDAPConnector.java:642) at com.atlassian.crowd.directory.SpringLDAPConnector.findUserByExternalId(SpringLDAPConnector.java:613) at com.atlassian.crowd.directory.SpringLDAPConnector.findUserByExternalId(SpringLDAPConnector.java:107) at com.atlassian.crowd.directory.DelegatedAuthenticationDirectory.authenticateAndUpdateOrCreate(DelegatedAuthenticationDirectory.java:256) at com.atlassian.crowd.directory.DelegatedAuthenticationDirectory.authenticate(DelegatedAuthenticationDirectory.java:184) at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:291) at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:141) at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:68) at com.atlassian.crowd.embedded.core.DelegatingCrowdService.authenticate(DelegatingCrowdService.java:35) at com.atlassian.crowd.embedded.core.FilteredCrowdServiceImpl.authenticate(FilteredCrowdServiceImpl.java:51) at com.atlassian.jira.security.login.JiraSeraphAuthenticator.crowdServiceAuthenticate(JiraSeraphAuthenticator.java:89) at com.atlassian.jira.security.login.JiraSeraphAuthenticator.authenticate(JiraSeraphAuthenticator.java:54) at com.atlassian.seraph.auth.DefaultAuthenticator.login(DefaultAuthenticator.java:97) at com.atlassian.seraph.filter.PasswordBasedLoginFilter.runAuthentication(PasswordBasedLoginFilter.java:132) at com.atlassian.seraph.filter.PasswordBasedLoginFilter.login(PasswordBasedLoginFilter.java:77) at com.atlassian.seraph.filter.BaseLoginFilter.doFilter(BaseLoginFilter.java:134) at com.atlassian.jira.web.filters.JiraLoginFilter.doFilter(JiraLoginFilter.java:70) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70) at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:79) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:78) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70) at com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter.doFilter(PrettyUrlsCombinedMatchDispatcherFilter.java:61) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:78) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:99) at com.atlassian.jira.web.filters.JIRAProfilingFilter.doFilter(JIRAProfilingFilter.java:19) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.johnson.filters.AbstractJohnsonFilter.doFilter(AbstractJohnsonFilter.java:71) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.gzipfilter.GzipFilter.doFilterInternal(GzipFilter.java:82) at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:59) at com.atlassian.jira.web.filters.gzip.JiraGzipFilter.doFilter(JiraGzipFilter.java:55) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70) at com.atlassian.analytics.client.filter.JiraAnalyticsFilter.doFilter(JiraAnalyticsFilter.java:40) at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:32) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:78) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:70) at com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter.doFilter(PrettyUrlsCombinedMatchDispatcherFilter.java:61) at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:78) at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77) at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.jira.web.filters.steps.ChainedFilterStepRunner.doFilter(ChainedFilterStepRunner.java:87) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.core.filters.cache.AbstractCachingFilter.doFilter(AbstractCachingFilter.java:33) at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.core.filters.encoding.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:41) at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31) at com.atlassian.jira.web.filters.PathMatchingEncodingFilter.doFilter(PathMatchingEncodingFilter.java:49) at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.jira.startup.JiraStartupChecklistFilter.doFilter(JiraStartupChecklistFilter.java:79) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.jira.web.filters.MultipartBoundaryCheckFilter.doFilter(MultipartBoundaryCheckFilter.java:41) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.atlassian.jira.web.filters.steps.ChainedFilterStepRunner.doFilter(ChainedFilterStepRunner.java:87) at com.atlassian.jira.web.filters.JiraFirstFilter.doFilter(JiraFirstFilter.java:60) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:744)
In the latter case, the below is shown on the atlassian-security.log
2015-12-02 11:34:25,508 http-bio-8080-exec-21 anonymous 694x255x1 qalb93 192.168.1.10:53150,192.168.1.97 /rest/gadget/1.0/login login : 'jirauser' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie. 2015-12-02 11:34:25,508 http-bio-8080-exec-21 anonymous 694x255x1 qalb93 192.168.1.10:53150,192.168.1.97 /rest/gadget/1.0/login The user 'jirauser' has FAILED authentication. Failure count equals 2
Steps to reproduce
- Create a user on the internal directory with the same name as an LDAP user;
- Create a directory of type Internal Directory with LDAP Authentication with the "Copy user on login" option unchecked;
- Migrate users from the default Internal Directory to the Delegated one;
Users can login successfully with LDAP password. - Edit the Delegated directory to "Copy user on login";
Problem occurs.
Environment
- Able to reproduce with AD, but not with OpenLDAP;
Resolution
This workaround involves manual manipulation of the JIRA's database, please perform any change on a test environment first before applying into production and make sure to have an up-to-date backup.
- Stop JIRA;
- Get the directory's ID;
SELECT id AS "ID", directory_name AS "Name" FROM cwd_directory WHERE directory_type = DELEGATING;
- Remove the value for external_id of the migrated users directly on the cwd_user table in JIRA's database;
- For MySQL and PostgreSQL
UPDATE cwd_user SET external_id = '' WHERE directory_id = <directory-id>
- For SQL Server:
UPDATE cwd_user SET external_id = NULL WHERE directory_id = <directory-id>
- For MySQL and PostgreSQL
- Restart JIRA;
Attachments
Issue Links
- was cloned as
-
CONFSERVER-58014 Migrated users that already existed on LDAP directory are unable to login
- Long Term Backlog