Jira server throws directory is read-only error when adding users to groups
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Symptoms
You have configured an internal directory and an LDAP directory with the permission "Read Only, with Local Groups" where you have configured the default group membership to be "jira-users". Configuration was successful and synchronization was without any problem. When you try to login as an LDAP user, it fails with the error "You do not have a permission to log in. If you think this is incorrect, please contact your JIRA administrators." When you try to associate the user with the jira-users group from the UI, you are faced with the error "You cannot add user 'xxxx' to group 'xxxxxx'. The user's directory is read only."
The following error appears in the log
1
2
3
4
5
6
7
8
9
10
2011-09-19 16:36:56,087 http-844-7 ERROR anonymous 996x260x1 o8ghcl 127.0.0.1 /login.jsp [core.event.listener.AutoGroupAdderListener] Could not auto add user to group: Group <jira-users> is read-only and cannot be updated
com.atlassian.crowd.exception.ReadOnlyGroupException: Group <jira-users> is read-only and cannot be updated
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.addUserToGroup(DbCachingRemoteDirectory.java:487)
at com.atlassian.crowd.core.event.listener.AutoGroupAdderListener.handleEvent(AutoGroupAdderListener.java:68)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.atlassian.event.internal.SingleParameterMethodListenerInvoker.invoke(SingleParameterMethodListenerInvoker.java:36)
...Cause
The groups in the LDAP server are read-only and because you have placed the LDAP directory at the top position, the users from LDAP server take precedence with the groups duplicated across. Associating the user with LDAP group which is read only will fail.
Resolution
If you will want to have the groups in both the JIRA application and LDAP, then better just associate the users with the necessary group from LDAP right from the beginning.
Enable write permission on the LDAP server and edit the directory to have the "read/write" permission.
If the group that is duplicated in the JIRA application is not very useful in LDAP, you may want to consider deleting the group and then re-synchronize your directory.
ℹ️ Please see our Troubleshooting LDAP User Management documentation for further assistance with diagnosing LDAP problems.
Was this helpful?