View Source

When LDAP breaks, sometimes you need to reorder the User Directories to be able to log in at all.

JIRA and Confluence can authenticate users from LDAP directories, such as Microsoft's Active Directory. In fact it is common to have multiple LDAP directories configured, one after another:

Knowledge Base > Reordering User Directories in JIRA and Confluence > image2016-2-1 14:26:57.png

Here we have two AD servers configured for redundancy – and just as well, as the first is failing.

Normally you manipulate the User Directories via the web interface, using an Internal directory user for preference (because it is always available regardless of LDAP state). However the Internal account won't work if:

You've forgotten the Internal user password. In that case, see Resetting a user password in the database.
The JIRA Internal Directory is disabled
The order of directories is wrong. For instance, your admin user account in the JIRA Internal Directory might not be working because there is an admin in a higher-precedence directory (TX-DC1 in the example above)..

Here we describe how to fix the last two scenarios with database edits.

Enabling and reordering the Internal Directory

Run the following query on the cwd_directory table to see what's going on with directory ordering.

mysql> select id, directory_name, active, description, directory_position from cwd_directory;
+-------+-------------------------+--------+---------------------------------+--------------------+
| id    | directory_name          | active | description                     | directory_position |
+-------+-------------------------+--------+---------------------------------+--------------------+
|     1 | JIRA Internal Directory |      0 | JIRA default internal directory |                  2 |
| 10200 | TX-DC2                  |      1 | NULL                            |                  1 |
| 10201 | TX-DC1                  |      1 | NULL                            |                  0 |
+-------+-------------------------+--------+---------------------------------+--------------------+
3 rows in set (0.00 sec)

In this example we have two LDAP directories configured, plus the internal directory. However notice that:

The active flag is set to 0 for JIRA Internal Directory, meaning it is disabled.
The directory_position order (0, 1, 2) indicates that JIRA Internal Directory is last to be consulted, meaning if admin is present in one of the two LDAPs, the password would be checked against LDAP first.

Enabling a disabled directory

If the internal directory is disabled, enable it with:

mysql> update cwd_directory set active=1 where id=1;

Reordering directories (if necessary)

To check whether admin comes from LDAP or just the Internal directory, run:

mysql> select user_name, directory_id from cwd_user where user_name='admin';
+-----------+--------------+
| user_name | directory_id |
+-----------+--------------+
| admin     |            1 |
+-----------+--------------+
1 row in set (0.00 sec)

If admin comes from multiple directories, you'll see more than one line returned. If so, run SQL to reorder the directories (if not, don't bother):

mysql> -- !!NOTE!! adapt the id refs for your system
mysql> update cwd_directory set directory_position=0 where id=1;
mysql> update cwd_directory set directory_position=2 where id=10201;

Then restart JIRA/Confluence for the change to take effect.