Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-67560

Application Access page crashes if it lists a deleted LDAP group

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Low Low
    • None
    • 7.4.4, 7.8.1, 7.12.1, 7.12.3, 9.12.8, 9.15.2
    • User Management - LDAP Integration
    • None

      Summary

      Application Access page crashes if it lists a deleted LDAP group.

      Environment

      • Jira Server 7.4.4
      • Windows Server 2012 R2
      • Microsoft Active Directory (possibly it also breaks with different OS'es and/or LDAP servers)
      • Tested and verified on Jira Software 7.12.1, Crowd 3.2.2 and OpenLDAP as well

      Steps to Reproduce

      On Active Directory
      1. Create a new group
      2. Make sure it's created under the Base DN and/or OU Jira syncs with
      On Jira
      1. Confirm whether directory synchronization completed successfully
      2. Select Cog > Applications
      3. Select Application access
      4. In the Select group... dropdown menu, select the new LDAP group
      Back on Active Directory
      1. Find and delete the group
      Back on Jira
      1. Confirm whether directory synchronization completed successfully
      2. Select Cog > Applications
      3. Select Application access

      Expected Results

      The Application access page loads correctly and lists the remaining groups.

      Actual Results

      The Application access page crashes and get stuck with a message stating "The group named 'XYZ' does not exist". Despite the fact it offers the possibility to refresh the page, the error never goes away making it impossible to manage application access moving forward.

      Directory synchronization removes the group information from almost all database tables, except for licenserolesgroup. Confirmed by the following query:

      SELECT * FROM licenserolesgroup WHERE group_id = 'deleted_ldap_group';

      NOTE:

      This can also be triggered by renaming a Group In external directory, the group_id in the licenserolesgroup table is not updated to the new Group name, and the origional group is still used.

      Workaround 1

      Backend fix requires downtime

      1. Stop Jira
      2. Run the following query to exclude the group from licenserolesgroup 
        DELETE FROM licenserolesgroup WHERE group_id = 'deleted_ldap_group';
      3. Re-start Jira

      Workaround 2

      Front end fix no restart required

      1. Create and empty Group in the external directory with the same name as the original group
      2. Synchronize the directory (end Users may be logged out and need to wait to log back in after the sync completes)
      3. go to application access and remove the group tied to the new Empty Group
        • If the group was renamed rather than deleted add the renamed group to allow access for those users
      4. Delete the Empty group from the external directory for clean up

        1. AppAccess_with_deleted_LDAP_group.png
          14 kB
          Rafael Parmigiani

              Unassigned Unassigned
              rparmigiani Rafael Parmigiani
              Votes:
              12 Vote for this issue
              Watchers:
              17 Start watching this issue

                Created:
                Updated: