JIRA and Confluence can authenticate users from LDAP directories, such as Microsoft's Active Directory. In fact it is common to have multiple LDAP directories configured, one after another:
Here we have two AD servers configured for redundancy – and just as well, as the first is failing.
Normally you manipulate the User Directories via the web interface, using an
Internal directory user for preference (because it is always available regardless of LDAP state). However the
Internal account won't work if:
- You've forgotten the
Internaluser password. In that case, see Resetting a user password in the database.
JIRA Internal Directoryis disabled
- The order of directories is wrong. For instance, your
adminuser account in the
JIRA Internal Directorymight not be working because there is an
adminin a higher-precedence directory (
TX-DC1in the example above)..
Here we describe how to fix the last two scenarios with database edits.
Enabling and reordering the Internal Directory
Run the following query on the
cwd_directory table to see what's going on with directory ordering.
In this example we have two LDAP directories configured, plus the internal directory. However notice that:
activeflag is set to
JIRA Internal Directory, meaning it is disabled.
directory_positionorder (0, 1, 2) indicates that
JIRA Internal Directoryis last to be consulted, meaning if
adminis present in one of the two LDAPs, the password would be checked against LDAP first.
Enabling a disabled directory
If the internal directory is disabled, enable it with:
Reordering directories (if necessary)
To check whether
admin comes from LDAP or just the Internal directory, run:
admin comes from multiple directories, you'll see more than one line returned. If so, run SQL to reorder the directories (if not, don't bother):
Then restart JIRA/Confluence for the change to take effect.