Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Currently the Crowd LDAP Caching documentation states:
Limitations
...
Renaming objects is not supported. — If the DN of an object is changed externally, the cache will be out of date until flushed.
If an object is changed using an external tool, Crowd will report the following in the logs:
2009-11-16 16:55:46,911 http-8095-Processor24 ERROR [codehaus.xfire.handler.DefaultFaultHandler] Fault occurred! org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=sydney,OU=australia,OU=oceania,OU=ABC,DC=COMMON,DC=AU,DC=UUJT,DC=DOMAIN,DC=com' nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=sydney,OU=australia,OU=oceania,OU=ABC,DC=COMMON,DC=AU,DC=UUJT,DC=DOMAIN,DC=com' remaining name 'cn=John.Smith,ou=1122,ou=users,OU=ABC,DC=COMMON,DC=AU,DC=UUJT,DC=DOMAIN,DC=com' at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:171) at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:800) at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:783) at org.springframework.ldap.core.LdapTemplate.lookup(LdapTemplate.java:881) at com.atlassian.crowd.integration.directory.connector.SpringLDAPConnector.findEntityByDN(SpringLDAPConnector.java:994) at com.atlassian.crowd.integration.directory.cache.CachingLDAPDirectory.findEntityIdentifierFromDN(CachingLDAPDirectory.java:220) at com.atlassian.crowd.integration.directory.cache.CachingLDAPDirectory.findGroupAndDirectMembersByName(CachingLDAPDirectory.java:331) at com.atlassian.crowd.integration.directory.cache.CachingLDAPDirectory.findGroupByName(CachingLDAPDirectory.java:451) at com.atlassian.crowd.integration.directory.cache.CachingLDAPDirectory.findGroupByName(CachingLDAPDirectory.java:470) at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.findGroupByName(ApplicationServiceGeneric.java:654)
A better implementation would consider:
1. The time necessary to synchronize the Forest Domains
2. If the Full DN can't be found, search for the object CN or Simplified DN (John.Smith@ad.domain.com)
3. Show to the Admin what are the cache inconsistencies so that he can flush the cache or force a Domain Sync.