LDAP config encryption error with 'Data 52e' after importing an XML backup on a new server

XMLWordPrintable

    • 8.2
    • 8
    • Severity 3 - Minor
    • 1

      Issue Summary

      This is reproducible on Data Center: yes

      After importing an XML backup that includes LDAP configuration on a new server, the directory sync fails and the LDAP users are not able to log in.

      We also noticed a 'Data 52e' ERROR which refers to an encryption error. When checking the XML backup or the DB directly for ldap.password, you will see that the encryption key file is actually stored in the DB. Example in entities.xml

      <DirectoryAttribute directoryId="10000" name="ldap.password" value="{AES_CBC_PKCS5Padding}{"keyFilePath":"KEY_DIR/javax.crypto.spec.SecretKeySpec_1665655916859"}..."

      The problem seems to just happen when restoring the DB backup to a different server, this encryption key file name is also restored, but the file doesn't actually exist in the new server which is why the sync doesn't seem to work after restoring a backup to a new server. By editing the directory and setting the password, you will be creating a new encryption key file in the relevant directory and also updating the name in the DB, which would then work.

      Steps to Reproduce

      1. Setup Jira 8.20.10.
      2. Configure remote LDAP User directory.
      3. Create an XML backup from the Jira instance.
      4. Import the XML backup on a new Jira server.
      5. Once the import is done, try to log in as an LDAP user, or connect with a local admin and try to perform a sync.

      Expected Results

      The LDAP users should be able to log in on the new instance. The sync should work after importing the XML backup.

      Actual Results

      The below exception is thrown in the atlassian-jira.log file when the LDAP users attempt to log in:

      2022-09-01 11:59:33,678+0300 Caesium-1-3 ERROR ServiceRunner [c.a.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ 10000 ].
com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 57, v4563]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 57, v4563]

      Workaround

      Temporary Solution: Log in as local admin, update the remote LDAP directory configuration, re-enter the user password and save the changes.

      Note

      Symptoms similar to JRASERVER-73875 so it can be related.

            Assignee:
            Unassigned
            Reporter:
            Meriem Dhahak (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: