I have a simple AD setup in a virtual machine:
I configure my local Jira Data Center to authenticate using it.
I also set advanced settings to update user groups on every login.
Testing with the domain admin account is successful:
But with a normal user, it failed to get groups:
The users are listed but some of them (test1, test2) have no groups:
The AD groups are synchronized okay, Domain Admins correctly listed “administrator” as a user, but groups like Domain Users have no members:
Note that “administrator” is a member of “Domain Users” as well and that’s not recognized.
I already set log4j root logger level to DEBUG but still I couldn’t find anything relevant in atlassian-jira.log.
What is wrong here?
Answering my own questions again…
The answer is “Domain Users” is not actually in a user’s memberOf attribute.
As silly as it sounds, it’s because Domain Users is not actually in the
memberOf attribute. You can verify in ADUC by turning on
View - Advanced Features, going to the
Attributes tab on your object and opening the
memberOf attribute (not the “Member Of” tab).
The “Member Of” tab you see on an object’s properties in ADUC is actually a conglomeration of the memberOf attribute and the primaryGroupID attribute. By default, users in AD get their Domain Users membership via this primaryGroupID attribute rather than an entry in memberOf. Though it’s possible to change the primaryGroupID, most people don’t.
So I added a new group for Jira to use.
Wow that’s so strange. That’s a good explanation.
The “memberOf” attribute itself isn’t “real” either… AD stores membership information in the groups’ “member” attribute, “memberOf” is calculated from that.