Users synced from an LDAP directory can't be added to a Jira local group from the Jira UI under some conditions

XMLWordPrintable

    • 7.08
    • 8
    • Severity 3 - Minor
    • 1

      Summary

      Users synced from an LDAP directory can't be added to a Jira local group from the Jira UI if the 2 following conditions are met:

      • this group exists in both the Jira internal directory and in the LDAP server
      • the LDAP directory is configured in Jira as Read Only, with Local Groups

      Steps to Reproduce

      • Configure a new LDAP directory in Jira via ⚙ > User Management > User directories
      • On the LDAP server side, create:
        • a new group that already exists in Jira. For example "jira-administrators"
        • a new user. For example "sa". Make sure that this user is not part of the group "jira-administrators" on the LDAP server side
      • Sync the LDAP directory with Jira via ⚙ > User Management > User directories
      • Go to ⚙ > User Management > Users, and verify that the user was synced in Jira:
      • Go to the page ⚙ > User Management > Groups
      • Click on the Edit members link next to the group "jira-administrators"
      • Try to add the LDAP user "sa" to the group "jira-administrators"

      Expected Results

      This user should be added to the group, since:

      • the LDAP directory is configured in Jira as Read Only, with Local Groups
      • the group "jira-administrators" exists in Jira's internal directory

      Actual Results

      The following error is thrown in the logs:

      You cannot add user 'sa' to group 'jira-administrators'. The user's directory is read only.

      When running the following SQL query, we can see that the group 'jira-administrators' exist twice in the cwd_group table, once in the internal directory (id = 1), and one in the LDAP directory (id = 10100). 

       select * from cwd_group where lower_group_name = 'jira-administrators';
  id   |     group_name      |  lower_group_name   | active | local |        created_date        |        updated_date        | description | lower_description | group_type | directory_id 
-------+---------------------+---------------------+--------+-------+----------------------------+----------------------------+-------------+-------------------+------------+--------------
 10710 | jira-administrators | jira-administrators |      1 |     1 | 2020-06-05 16:08:55.584+02 | 2020-06-05 16:08:55.584+02 |             |                   | GROUP      |        10100
 10000 | jira-administrators | jira-administrators |      1 |     0 | 2013-02-28 11:57:51.326+01 | 2013-02-28 11:57:51.326+01 |             |                   | GROUP      |            1

      Note that the local column is set to 1 for the group coming from the LDAP directory (id=10100). Normally, local = 1 should mean that this group membership should be managed locally in Jira (since the LDAP group is configured as Read Only, with Local Groups). However, this setting seems to be ignored and instead Jira tries to add this user to the group 'jira-administrators' directly on the LDAP server. This operation fails, since Jira does not have the write permission in the LDAP directory.

      Other symptom

      When trying to add the user to the group 'jira-administrators' from the page ⚙ > User Management > Users instead, nothing happens:

      • no error is thrown in the UI
      • the group is not added to the user

      Workaround

      Workaround 1

      The workaround consists in temporarily configuring the LDAP directory as Read/Write in Jira, and then add the user to the group 'jira-administators'.
      Note that:
      With such configuration, when the user is added to the group 'jira-administators' from the Jira UI, this user will also be added to this group on the LDAP server side
      If you set the LDAP directory back to Read Only, with Local Groups, and then try to remove the user from the group 'jira-administators' from the page ⚙ > User Management > Groups, you'll get the error below. Basically, you will need to set this LDAP directory back to Read/Write, whenever you want to update the members of the group 'jira-administators'.

      You cannot remove user 'sa' from group 'jira-administrators'. The user's directory is read only.

      Workaround 2

      • Remove the group 'jira-administators' from the LDAP server. This way, the members of this group will be entirely managed locally on the Jira side.
      • Sync the LDAP directory in Jira via ⚙ > User Management > User directories
      • Add the user to the group 'jira-administrators' from the Jira UI

        1. Screenshot1.png
          53 kB
          Julien Rey
        2. Screenshot2.png
          205 kB
          Julien Rey

            Assignee:
            Unassigned
            Reporter:
            Julien Rey (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: