-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Low
-
Affects Version/s: 5.12.3.1, 5.14.3.1, 6.0.0, 6.2.1
-
Component/s: User Management, Crowd & LDAP integration
-
Severity 2 - Major
Summary
Bamboo does not work with LDAP systems using Posix Schema.
Steps to Reproduce
1. OpenLDAP
- Download and install OpenLDAP.
- Create a user LDIF:
user.ldif
dn: uid=bruno,dc=brosa,dc=openldap,dc=com objectclass: inetOrgPerson objectclass: person givenName: Bruno sn: Rosa mail: test@test.com uid: bruno userPassword: bruno cn: Bruno Rosa
- Import user LDIF:
ldapadd -v -h 192.168.90.100:389 -c -x -D cn=admin,dc=brosa,dc=openldap,dc=com -W -f user.ldif
- Verify the user was added:
ldapsearch -v -h 192.168.90.100:389 -b 'dc=brosa,dc=openldap,dc=com' -D 'cn=admin,dc=brosa,dc=openldap,dc=com' -x -W '(&(objectClass=person)(uid=bruno))'
Response:
filter: (&(objectClass=person)(uid=bruno)) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=brosa,dc=openldap,dc=com> with scope subtree # filter: (&(objectClass=person)(uid=bruno)) # requesting: ALL # # bruno, brosa.openldap.com dn: uid=bruno,dc=brosa,dc=openldap,dc=com objectClass: inetOrgPerson objectClass: person givenName: Bruno sn: Rosa mail: test@test.com uid: bruno userPassword:: YnJ1bm8= cn: Bruno Rosa # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
- Create Group LDIF:
group.ldif
dn: cn=developers,dc=brosa,dc=openldap,dc=com objectClass: top objectClass: posixGroup gidNumber: 678
- Import Group LDIF with:
ldapadd -v -h 192.168.90.100:389 -x -W -D cn=admin,dc=brosa,dc=openldap,dc=com -f group.ldif
- To add the user to the group we need to create a new LDIF:
add-user-group.ldif
dn: cn=developers,dc=brosa,dc=openldap,dc=com changetype: modify add: memberuid memberuid: bruno
- Add user to group with:
ldapmodify -v -h 192.168.90.100:389 -x -W -D cn=admin,dc=brosa,dc=openldap,dc=com -f add-user-group.ldif
- Verify the user was added to the group:
ldapsearch -v -h 192.168.90.100:389 -b 'dc=brosa,dc=openldap,dc=com' -D 'cn=admin,dc=brosa,dc=openldap,dc=com' -x -W '(&(objectClass=posixGroup))'
Response:
filter: (&(objectClass=posixGroup)) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=brosa,dc=openldap,dc=com> with scope subtree # filter: (&(objectClass=posixGroup)) # requesting: ALL # # developers, brosa.openldap.com dn: cn=developers,dc=brosa,dc=openldap,dc=com objectClass: top objectClass: posixGroup gidNumber: 678 cn: developers memberUid: bruno # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
2. Bamboo
- Create atlassian-user-custom.xml file with:
atlassian-user.xml
<atlassian-user> <repositories> <!-- LDAP repository --> <ldap key="ldapRepository" name="OpenLDAP" cache="true"> <host>192.168.90.100</host> <port>389</port> <securityPrincipal>cn=admin,dc=brosa,dc=openldap,dc=com</securityPrincipal> <securityCredential>admin</securityCredential> <securityProtocol>plain</securityProtocol> <securityAuthentication>simple</securityAuthentication> <baseContext>dc=brosa,dc=openldap,dc=com</baseContext> <baseUserNamespace>dc=brosa,dc=openldap,dc=com</baseUserNamespace> <userSearchFilter>(objectClass=inetOrgPerson)</userSearchFilter> <usernameAttribute>uid</usernameAttribute> <firstnameAttribute>givenName</firstnameAttribute> <surnameAttribute>sn</surnameAttribute> <emailAttribute>mail</emailAttribute> <baseGroupNamespace>dc=brosa,dc=openldap,dc=com</baseGroupNamespace> <groupSearchFilter>(objectClass=posixGroup)</groupSearchFilter> <groupnameAttribute>cn</groupnameAttribute> <membershipAttribute>memberUid</membershipAttribute> <useUnqualifiedUsernameForMembershipComparison>true</useUnqualifiedUsernameForMembershipComparison> </ldap> <!-- Default bamboo user repository --> <hibernate name="Hibernate Repository" key="hibernateRepository" description="Hibernate Repository" cache="true"/> </repositories> </atlassian-user> - Configure Bamboo to use the Custom user repository from Bamboo administration >> Overview >> Security >> User repositories.
Expected Results
Membership is set up so that users and groups are correctly populated.
Actual Results
- Bamboo UI
- User belongs to the 'developers' group from the Users page and most importantly, it is possible to access Bamboo with the user.
- The 'developers' group appears with 0 members from the Groups page.
- Whenever a user access the Groups page, the following is thrown in the logs:
atlassian-bamboo.log
2017-01-11 14:25:07,887 ERROR [http-nio-8086-exec-15] [LDAPMembershipToUsernamePager] Error resolving dn [ bruno ] to a username com.atlassian.user.impl.RepositoryException: javax.naming.InvalidNameException: bruno: [LDAP: error code 34 - invalid DN]; remaining name 'bruno' at com.atlassian.user.impl.ldap.search.page.LDAPMembershipToUsernamePager.findByDN(LDAPMembershipToUsernamePager.java:107) at com.atlassian.user.impl.ldap.search.page.LDAPMembershipToUsernamePager.addIfFoundUser(LDAPMembershipToUsernamePager.java:66) at com.atlassian.user.impl.ldap.search.page.LDAPMembershipToUsernamePager.preloadSearchResult(LDAPMembershipToUsernamePager.java:41) at com.atlassian.user.impl.ldap.search.page.AbstractLDAPPager.fetch(AbstractLDAPPager.java:125) at com.atlassian.user.search.page.AbstractPrefetchingPager.preload(AbstractPrefetchingPager.java:73) at com.atlassian.user.impl.ldap.search.page.AbstractLDAPPager.preload(AbstractLDAPPager.java:94) at com.atlassian.user.impl.ldap.search.page.LDAPSingleStringPager.<init>(LDAPSingleStringPager.java:21) at com.atlassian.user.impl.ldap.search.page.LDAPMembershipToUsernamePager.<init>(LDAPMembershipToUsernamePager.java:23) at com.atlassian.user.impl.ldap.adaptor.LDAPStaticGroupAdaptor.findMemberNames(LDAPStaticGroupAdaptor.java:64) at com.atlassian.user.impl.ldap.LDAPGroupManagerReadOnly.getMemberNames(LDAPGroupManagerReadOnly.java:70) at com.atlassian.user.impl.cache.CachingGroupManager.getMemberNames(CachingGroupManager.java:221) at com.atlassian.user.impl.delegation.DelegatingGroupManager.getMemberNames(DelegatingGroupManager.java:142) at sun.reflect.GeneratedMethodAccessor1096.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at com.atlassian.crowd.integration.atlassianuser.DynamicDelegationAccessor$DelegatingInvocationHandler.invoke(DynamicDelegationAccessor.java:125) at com.sun.proxy.$Proxy39.getMemberNames(Unknown Source) at bucket.user.DefaultUserAccessor.getMemberNames(DefaultUserAccessor.java:591) at sun.reflect.GeneratedMethodAccessor1095.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:98) at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:262) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:95) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207) at com.sun.proxy.$Proxy51.getMemberNames(Unknown Source) at com.atlassian.bamboo.ww2.actions.admin.group.BrowseGroupsAction.getUsersCountForGroup(BrowseGroupsAction.java:32) at sun.reflect.GeneratedMethodAccessor1094.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at freemarker.ext.beans.BeansWrapper.invokeMethod(BeansWrapper.java:805) at freemarker.ext.beans.SimpleMethodModel.exec(SimpleMethodModel.java:106) at freemarker.core.MethodCall._getAsTemplateModel(MethodCall.java:104) at freemarker.core.Expression.getAsTemplateModel(Expression.java:89) at freemarker.core.Expression.getStringValue(Expression.java:93) at freemarker.core.DollarVariable.accept(DollarVariable.java:76) at freemarker.core.Environment.visit(Environment.java:210) at freemarker.core.MixedContent.accept(MixedContent.java:92) at freemarker.core.Environment.visit(Environment.java:210) at freemarker.core.ConditionalBlock.accept(ConditionalBlock.java:79) at freemarker.core.Environment.visit(Environment.java:210) at freemarker.core.IteratorBlock$Context.runLoop(IteratorBlock.java:167) at freemarker.core.Environment.visit(Environment.java:417) at freemarker.core.IteratorBlock.accept(IteratorBlock.java:102) at freemarker.core.Environment.visit(Environment.java:210) at freemarker.core.MixedContent.accept(MixedContent.java:92) at freemarker.core.Environment.visit(Environment.java:210) at freemarker.core.Environment.process(Environment.java:190) at freemarker.template.Template.process(Template.java:289) ... Caused by: javax.naming.InvalidNameException: bruno: [LDAP: error code 34 - invalid DN]; remaining name 'bruno' at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3074) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1846) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at com.atlassian.user.impl.ldap.search.page.LDAPMembershipToUsernamePager.findByDN(LDAPMembershipToUsernamePager.java:90) ... 387 more
- is duplicated by
-
BAM-12022 Offer support for POSIX Style LDAP
- Closed