Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-19678

Bamboo reporting 0 (zero) as user count for Microsoft Active Directory groups

    XMLWordPrintable

Details

    Description

      Summary

      Bamboo reports some groups coming from Microsoft Active Directory with 0 user count when in fact they have a considerable amount of users (members).

      In this case both BAMBOO groups are coming from Microsoft Active Directory. The first one (BAMBOO-ENGR) has 15 users, but the second one (BAMBOO-USERS) has +1.500 users. The second group is showing up with 0 users inside Bamboo.

      Environment

      • Bamboo connect to Microsoft Active Directory.

      Steps to Reproduce

      1. Connect Bamboo to Microsoft Active Directory using the following document: Integrating Bamboo with LDAP.
      2. Create two groups inside AD:
        • BAMBOO-USERS
          Add more than 1.500 users to this group.
        • BAMBOO-ENGR
          Add just a few users to this group (e.g. 15 users).
      3. To ensure that you're only loading users from those two groups we just created and that you're also just synchronizing those groups, configure Bamboo to:
        • look for those groups inside your AD tree: 
          <groupSearchFilter>(&amp;(objectCategory=group)(|(cn=BAMBOO-ENGR)(cn=BAMBOO-USERS)))</groupSearchFilter>
        • filter users that only belong to those groups: 
          <userSearchFilter>(&amp;(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=BAMBOO-ENGR,OU=bamboo,DC=atlassian,DC=local)(memberOf=CN=BAMBOO-USERS,OU=bamboo,DC=atlassian,DC=local)))</userSearchFilter>
        • use member as the membership attribute: 
          <membershipAttribute>member</membershipAttribute>
      4. Once everything has been configured correctly access the following pages inside Bamboo:
        • Bamboo administration > Overview > Security > Users
        • Bamboo administration > Overview > Security > Groups

      Expected Results

      The first page, the Users page, will give you a list of all users and groups they belong to – either BAMBOO-ENGR, BAMBOO-USERS or both. The second page, the Groups page, should report the correct number of users belonging to those two groups we created (e.g. BAMBOO-USERS with over 1.500 users and BAMBOO-ENGR with 15 users).

      Actual Results

      The first page will give you all correct results but the Groups page on the other hand will display the user count as 0 for the BAMBOO-USERS group.

      This is happening because when we query Microsoft AD for the list of members inside that group we expect a list of users that has the following structure:

      BAMBOO-ENGR
      # BAMBOO-ENGR, bamboo, atlassian.local
dn: CN=BAMBOO-ENGR,OU=bamboo,DC=atlassian,DC=local
member: CN=bamboo.user0014,OU=users,OU=howTo,DC=atlassian,DC=local
member: CN=bamboo.user0013,OU=users,OU=howTo,DC=atlassian,DC=local
member: CN=bamboo.user0012,OU=users,OU=howTo,DC=atlassian,DC=local
member: CN=bamboo.user0011,OU=users,OU=howTo,DC=atlassian,DC=local
member: CN=bamboo.user0010,OU=users,OU=howTo,DC=atlassian,DC=local
...

      However, the results from querying the other group looks like this:

      BAMBOO-USERS
      # BAMBOO-USERS, bamboo, atlassian.local
dn: CN=BAMBOO-USERS,OU=bamboo,DC=atlassian,DC=local
member;range=0-1499: CN=bamboo.user1413,OU=users,OU=howTo,DC=atlassian,DC=local
member;range=0-1499: CN=bamboo.user1412,OU=users,OU=howTo,DC=atlassian,DC=local
member;range=0-1499: CN=bamboo.user1411,OU=users,OU=howTo,DC=atlassian,DC=local
member;range=0-1499: CN=bamboo.user1410,OU=users,OU=howTo,DC=atlassian,DC=local
member;range=0-1499: CN=bamboo.user1409,OU=users,OU=howTo,DC=atlassian,DC=local
...

      All the results from the BAMBOO-USERS group have member;range=0-1499: – according to Microsoft, by default, only the first 1.500 members of a group are accessible through LDAP via an attribute called member;range=0-1499 even if the group contains more than 1.500 members.

      Bamboo is not able to parse/handle that range parameter and it's reporting that the group has 0 users.

      Notes

      You can test and check this using a very useful command called ldapsearch. If you want to know whether you're affected by this issue you can use your atlassian-user.xml file information to run the following command and look for the range attribute in the results:

      ldapsearch -D "<securityPrincipal>" \
           -w "<securityCredential>" \
           -p <port> \
           -h <host> \
           -b "<baseContext>" \
           "<groupSearchFilter>" \
           member

      You will find each one of the tags mentioned above inside your atlassian-user.xml file – just replace the tags with the actual values so it looks similar to this:

      ldapsearch -D "CN=administrator,CN=users,DC=atlassian,DC=local" \
           -w "password123" \
           -p 389 \
           -h atlassian.local \
           -b "DC=atlassian,DC=local" \
           "(&(objectCategory=group)(|(cn=BAMBOO-ENGR)(cn=BAMBOO-USERS)))" \
           member

      Workaround

      There are no known workarounds at this time. However please keep in mind that this shouldn't affect users ability to access the application or even admins to grant and manage user access and such. This only affects the user count inside the Groups page.

      Attachments

        Issue Links

          is blocked by

          Suggestion - BAM-11376 Have Bamboo use Embedded Crowd instead of atlassian-user

          • Closed

          Activity

            People

              Unassigned Unassigned
              brosa Bruno Rosa
              Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: