LDAP directory sync is stuck forever in Jira
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
LDAP directory sync is stuck forever, only a Jira restart helps to terminate the sync process.
Diagnosis
If you have an external directory like LDAP connected to Jira and have full sync enabled for the directories then you might possibly be running into this.
When we check the atlassian-jira.log files or grep for full sync, we can see the following: here, each time the Full sync starts, it gets completed within 58266ms. However, at the end, we can see only that the sync started but never completed. This explains to us that the sync is stuck. You can check the status by navigating to Jira administration ⚙️ > User management > User Directories and checking the affected user directories' status.
1
2
3
4
5
6
7
8
9
10
11
log % grep "FULL synchronisation" atlassian-jira.log*
2022-03-19 02:22:03,241+0000 Caesium-1-2 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] FULL synchronisation complete for directory [ 10100 ] in [ 58677ms ]
2022-03-19 02:31:04,556+0000 Caesium-1-1 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] FULL synchronisation for directory [ 10100 ] starting
2022-03-19 02:32:00,259+0000 Caesium-1-1 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] FULL synchronisation complete for directory [ 10100 ] in [ 55703ms ]
2022-03-19 02:41:04,563+0000 Caesium-1-1 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] FULL synchronisation for directory [ 10100 ] starting
2022-03-19 02:42:01,679+0000 Caesium-1-1 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] FULL synchronisation complete for directory [ 10100 ] in [ 57116ms ]
2022-03-19 02:51:04,563+0000 Caesium-1-2 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] FULL synchronisation for directory [ 10100 ] starting
2022-03-19 02:52:00,116+0000 Caesium-1-2 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] FULL synchronisation complete for directory [ 10100 ] in [ 55553ms ]
2022-03-19 03:01:04,579+0000 Caesium-1-1 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] FULL synchronisation for directory [ 10100 ] starting
2022-03-19 03:02:02,845+0000 Caesium-1-1 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] FULL synchronisation complete for directory [ 10100 ] in [ 58266ms ]
2022-03-19 03:11:04,542+0000 Caesium-1-1 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] FULL synchronisation for directory [ 10100 ] startingCause
The cause could be due to the FULL synchronization scheduled within a lesser time interval and also if the LDAP connection timeout is set indefinitely(i.e 0)
Solution
Check the directory sync interval by navigating to the Jira administration ⚙️ > User management > User Directoriesand search for the Synchronisation Interval in the "Advanced settings" of the affected user directory or you can also get this by generating a directory summary by following our KB forGenerate a Directory Configuration Summary in Jira server.
In the directory configuration summary search for directory.cache.synchronise.interval and check to which value this has been set.
Synchronisation Interval (minutes) | directory.cache.synchronise.interval |
⚠️ Please make sure to check if the incremental synchronization is enabled or disabled either by navigating to the Jira administration ⚙️ > User management > User Directories or in the directory configuration summary.
In the directory configuration summary search for the "crowd.sync.incremental.enabled:" parameter.
Enable Incremental Synchronisation | crowd.sync.incremental.enabled: true when enabled. crowd.sync.incremental.enabled: false when disabled |
ℹ️ For more information, please go through How to read directory configuration summary
The incremental sync is scheduled to run by default to 3600s and the incremental synchronization will check only the changes since the last synchronization to be queried when synchronizing a directory however if this is set to false then there will a full sync will be triggered.
Configuring the synchronization interval
You can set the 'Synchronization Interval' on the directory configuration screen. The synchronization interval is the period of time to wait between requests for updates from the directory server.
The length you choose for your synchronization interval depends on:
The length of time you can tolerate stale data.
The amount of load you want to put on the application and the directory server.
The size of your user base.
If you synchronize more frequently, then your data will be more up-to-date. The downside of synchronizing more frequently is that you may overload your server with requests.
If you are not sure what to do, we recommend that you start with an interval of 60 minutes (this is the default setting) and reduce the value incrementally. You will need to experiment with your setup.
NOTE: Having a sync scheduled with a lesser time interval might cause the LDAP sync stuck forever which is it's always recommended to have a significant gap between each sync.
Another point to remember:
Also, check the ldap.connection.timeout: 0
If the timeout value is set to 0 which is indefinite and this might cause performance issues or cluster locks as mentioned in this KB for Unlimited LDAP read timeout can cause Cluster Locks health check to fail if there are communication issues
Connection Timeout (seconds) | This setting affects two actions. The default value is 10. + The time to wait when getting a connection from the connection pool. A value of 0 (zero) means there is no limit, so wait indefinitely. + The time, in seconds, to wait when opening new server connections. A value of 0 (zero) means that the TCP network timeout will be used, which may be several minutes. |
So it's always recommended to change the LDAP read and connection timeouts to be finite (e.g. not 0 ) so that the process can be terminated with a read timeout exception if there are any communication issues.
Was this helpful?