Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-39341

Gracefully handle errors when syncing with LDAP directories containing CNF attributes

    XMLWordPrintable

Details

    • 2
    • 9
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

      Confluence throws following when syncing with LDAP directories containing CNF attributes:

      cnf:42e39380-4839-4ecb-bf4c-707141604142,ou=xxxx-xxxx,ou=xxx,ou=xxxx-xxxx,dc=xxxx,dc=xx: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349, best match of:
'cn=ut40uat-hsmain-ext
cnf:42e39380-4839-4ecb-bf4c-707141604142,ou=xxxx-xxxx,ou=xxx,ou=xxxx-xxxx,dc=xxxx,dc=xx'
]; nested exception is javax.naming.InvalidNameException: cn=ut40uat-hsmain-ext
cnf:42e39380-4839-4ecb-bf4c-707141604142,ou=xxxx-xxxx,ou=xxx,ou=xxxx-xxxx,dc=xxxx,dc=xx: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349, best match of:
'cn=xxxx-xxxx-xxx
cnf:42e39380-4839-4ecb-bf4c-707141604142,ou=xxxx-xxxx,ou=xxx,ou=xxxx-xxxx,dc=xxxx,dc=xx
]; remaining name 'cn=xxxxx-xxxx-xxx
cnf:42e39380-4839-4ecb-bf4c-707141604142,ou=xxxx-xxxx,ou=xxx,ou=xxxx-xxxx,dc=xxxx,dc=xx'
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:136)

      According to this Microsoft KB:

      Active Directory supports multimaster replication of directory objects between all domain controllers in the domain. When replication of objects results in name conflicts (two objects have the same name within the same container), the system automatically renames one of these accounts to a unique name. For example, object ABC is renamed to be CNF:guid, where "" represents a reserved character, "CNF" is a constant that indicates a conflict resolution, and "guid" represents a printable representation of the objectGuid attribute value.

      So the CNF is created when there is a conflict in the replication of the domain controllers and there are duplicated objects.

      Confluence should gracefully handle this error.

      Workaround:

      1) Ask the LDAP administrator to remove the duplicated groups or users from the LDAP and make sure there are no other conflicts before syncing.

      2) Create a filter for the users and groups objects to avoid syncing with objects that have cnf attributes.

      Should become something like:
(&(objectClass=group)(!(cnf:*)))
OR
(&(objectClass=group)(!(cn=cnf:)))

      Check here for additional details on LDAP filters.

      Attachments

        Issue Links

          is related to

          Suggestion - CWD-4174 Gracefully handle errors when syncing with LDAP directories containing CNF attributes

          • Gathering Interest
          relates to

          Suggestion - CONFCLOUD-39341 Gracefully handle errors when syncing with LDAP directories containing CNF attributes

          • Gathering Interest

          Activity

            People

              Unassigned Unassigned
              sparsa Saleh Parsa (Inactive)
              Votes:
              4 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: