Some LDAP users are unable to log into Jira due to Jira trying to re-create a group that already exists

Summary

When using Jira Data Center connected to an external LDAP directory, users that belong to specific groups might not be able to login due to the fact that Jira is trying to insert in the Database a group that actually already exists. Some users might see a 500 error in the browser when trying to login.

Environment

Jira Data Center with at least 2 nodes.

Issue observed on Jira 8.13.0 and higher versions.

Diagnosis

• not all users are impacted by the login issue (only users that belong to specific group(s))

• the login issue might either happen on all Jira nodes, or on specific Jira node(s) only

• the issue only occurs with users that are from an external directory (for example, an Active Directory)

• the setting Update group memberships when logging in is set to Every time the user logs in in the LDAP configuration in ⚙ > User Management > User Directories

• an error showing that Jira is violating some constraints while inserting a group in the cwd_group table is thrown in the Jira application logs

  • Example 1 (if using an Oracle Database)

    1 2 3 4 5 6 7 2021-10-26 12:55:22,658+0200 http-nio-8080-exec-78 url: /plugins/servlet/samlconsumer ERROR anonymous XXXxXXXXXXxX XXXXXX XXX.XXX.XX.X,XX.XXX.XXX.XX,127.0.0.1 /plugins/servlet/samlconsumer [o.a.c.c.C.[Catalina].[localhost].[/]] Unhandled exception occurred whilst decorating page com.atlassian.jira.exception.DataAccessException: org.ofbiz.core.entity.GenericEntityException: while inserting: [GenericEntity:Group][groupName,somegroup][createdDate,2021-10-26 12:55:22.639][lowerGroupName,somegroup ops][active,1][description,somegroup][lowerDescription,somegroup][directoryId,10200][updatedDate,2021-10-26 12:55:22.639][id,68590][type,GROUP][local,0] (SQL Exception while executing the following:INSERT INTO cwd_group (ID, group_name, lower_group_name, active, local, created_date, updated_date, description, lower_description, group_type, directory_id, external_id) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (ORA-00001: unique constraint (JIRA.UK_GROUP_NAME_DIR_ID) violated )) at com.atlassian.jira.ofbiz.DefaultOfBizDelegator.createValue(DefaultOfBizDelegator.java:299) at com.atlassian.jira.ofbiz.WrappingOfBizDelegator.createValue(WrappingOfBizDelegator.java:172) at com.atlassian.jira.crowd.embedded.ofbiz.OfBizGroupDao.add(OfBizGroupDao.java:140) at com.atlassian.jira.crowd.embedded.ofbiz.OfBizGroupDao.add(OfBizGroupDao.java:128)

  • Example 2 (if using a PostgreSQL Database)

    1 2 3 4 5 6 7 8 2021-10-20 13:00:48,939+0000 http-nio-8081-exec-7 ERROR [o.a.c.c.C.[.[localhost].[/jira].[default]] Servlet.service() for servlet [default] in context with path [/jira] threw exception com.atlassian.jira.exception.DataAccessException: org.ofbiz.core.entity.GenericEntityException: while inserting: [GenericEntity:Group][groupName,somegroup][createdDate,2021-10-20 13:00:48.937][lowerGroupName,somegroup][active,1][description,User access to lever (prod)][lowerDescription,somegroup][directoryId,10200][updatedDate,2021-10-20 13:00:48.937][id,72831][type,GROUP][local,0] (SQL Exception while executing the following:INSERT INTO public.cwd_group (ID, group_name, lower_group_name, active, local, created_date, updated_date, description, lower_description, group_type, directory_id, external_id) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (ERROR: duplicate key value violates unique constraint "uk_group_name_dir_id" Detail: Key (lower_group_name, directory_id)=(access.1664108.prod.user, 10200) already exists.)) at com.atlassian.jira.ofbiz.DefaultOfBizDelegator.createValue(DefaultOfBizDelegator.java:299) at com.atlassian.jira.ofbiz.WrappingOfBizDelegator.createValue(WrappingOfBizDelegator.java:172) at com.atlassian.jira.crowd.embedded.ofbiz.OfBizGroupDao.add(OfBizGroupDao.java:140) at com.atlassian.jira.crowd.embedded.ofbiz.OfBizGroupDao.add(OfBizGroupDao.java:128) at com.atlassian.crowd.directory.AbstractInternalDirectory.addGroup(AbstractInternalDirectory.java:727)

Cause

While the exact root cause is unclear, we are suspecting that the root cause is the same as the one mentioned in the 2 other KB article below:

• Inconsistency in group membership and user status on one or multiple nodes in Jira Data Center

• Jira User Management page is returning an error when filtering users

Basically, the group data cache got corrupted on at least 1 Jira node, meaning that it's out of sync with the database. Because the group is missing from the cache, the Jira application "thinks" that the group does not exist yet in the database (while it actually exists), and tries to insert it in the database, causing a database constraint violation error.

The reason why this error occurs when users are logging in is because of the setting Update group memberships when logging in that is set to Every time the user logs in. With such setting, whenever a user tries to login via the LDAP directory, Jira tries to upgrade the group membership of this user. If Jira thinks that the group does not exist in the database (due to the cache corruption), Jira will try to insert the group in the database, causing the violation error, ultimately preventing the user from logging in.

Solution

Short term solution

• Go to ⚙ > User Management > User Directories

• Click on the Edit button next to the LDAP directory the users are trying to log against

• Change the setting Update group memberships when logging in to Update for new users only

Long term solution

• Schedule a downtime window outside of business hours, to prevent any impact on your operations

• Shutdownall the Jira nodes togetherfrom the Data Center cluster

• Startupeach Jira node one by one

• The restart of all the Jira nodes shouldclear the user data cache and resolve this issue