-
Bug
-
Resolution: Fixed
-
Low
-
5.15.7, 6.3.1
-
Severity 3 - Minor
-
Summary
Bamboo reports some groups coming from Microsoft Active Directory with 0 user count when in fact they have a considerable amount of users (members).
In this case both BAMBOO groups are coming from Microsoft Active Directory. The first one (BAMBOO-ENGR) has 15 users, but the second one (BAMBOO-USERS) has +1.500 users. The second group is showing up with 0 users inside Bamboo.
Environment
- Bamboo connect to Microsoft Active Directory.
Steps to Reproduce
- Connect Bamboo to Microsoft Active Directory using the following document: Integrating Bamboo with LDAP.
- Create two groups inside AD:
- BAMBOO-USERS
Add more than 1.500 users to this group. - BAMBOO-ENGR
Add just a few users to this group (e.g. 15 users).
- BAMBOO-USERS
- To ensure that you're only loading users from those two groups we just created and that you're also just synchronizing those groups, configure Bamboo to:
- look for those groups inside your AD tree:
<groupSearchFilter>(&(objectCategory=group)(|(cn=BAMBOO-ENGR)(cn=BAMBOO-USERS)))</groupSearchFilter>
- filter users that only belong to those groups:
<userSearchFilter>(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=CN=BAMBOO-ENGR,OU=bamboo,DC=atlassian,DC=local)(memberOf=CN=BAMBOO-USERS,OU=bamboo,DC=atlassian,DC=local)))</userSearchFilter>
- use member as the membership attribute:
<membershipAttribute>member</membershipAttribute>
- look for those groups inside your AD tree:
- Once everything has been configured correctly access the following pages inside Bamboo:
- Bamboo administration > Overview > Security > Users
- Bamboo administration > Overview > Security > Groups
Expected Results
The first page, the Users page, will give you a list of all users and groups they belong to – either BAMBOO-ENGR, BAMBOO-USERS or both. The second page, the Groups page, should report the correct number of users belonging to those two groups we created (e.g. BAMBOO-USERS with over 1.500 users and BAMBOO-ENGR with 15 users).
Actual Results
The first page will give you all correct results but the Groups page on the other hand will display the user count as 0 for the BAMBOO-USERS group.
This is happening because when we query Microsoft AD for the list of members inside that group we expect a list of users that has the following structure:
# BAMBOO-ENGR, bamboo, atlassian.local dn: CN=BAMBOO-ENGR,OU=bamboo,DC=atlassian,DC=local member: CN=bamboo.user0014,OU=users,OU=howTo,DC=atlassian,DC=local member: CN=bamboo.user0013,OU=users,OU=howTo,DC=atlassian,DC=local member: CN=bamboo.user0012,OU=users,OU=howTo,DC=atlassian,DC=local member: CN=bamboo.user0011,OU=users,OU=howTo,DC=atlassian,DC=local member: CN=bamboo.user0010,OU=users,OU=howTo,DC=atlassian,DC=local ...
However, the results from querying the other group looks like this:
# BAMBOO-USERS, bamboo, atlassian.local dn: CN=BAMBOO-USERS,OU=bamboo,DC=atlassian,DC=local member;range=0-1499: CN=bamboo.user1413,OU=users,OU=howTo,DC=atlassian,DC=local member;range=0-1499: CN=bamboo.user1412,OU=users,OU=howTo,DC=atlassian,DC=local member;range=0-1499: CN=bamboo.user1411,OU=users,OU=howTo,DC=atlassian,DC=local member;range=0-1499: CN=bamboo.user1410,OU=users,OU=howTo,DC=atlassian,DC=local member;range=0-1499: CN=bamboo.user1409,OU=users,OU=howTo,DC=atlassian,DC=local ...
All the results from the BAMBOO-USERS group have member;range=0-1499: – according to Microsoft, by default, only the first 1.500 members of a group are accessible through LDAP via an attribute called member;range=0-1499 even if the group contains more than 1.500 members.
Bamboo is not able to parse/handle that range parameter and it's reporting that the group has 0 users.
Notes
You can test and check this using a very useful command called ldapsearch. If you want to know whether you're affected by this issue you can use your atlassian-user.xml file information to run the following command and look for the range attribute in the results:
ldapsearch -D "<securityPrincipal>" \ -w "<securityCredential>" \ -p <port> \ -h <host> \ -b "<baseContext>" \ "<groupSearchFilter>" \ member
You will find each one of the tags mentioned above inside your atlassian-user.xml file – just replace the tags with the actual values so it looks similar to this:
ldapsearch -D "CN=administrator,CN=users,DC=atlassian,DC=local" \ -w "password123" \ -p 389 \ -h atlassian.local \ -b "DC=atlassian,DC=local" \ "(&(objectCategory=group)(|(cn=BAMBOO-ENGR)(cn=BAMBOO-USERS)))" \ member
Workaround
There are no known workarounds at this time. However please keep in mind that this shouldn't affect users ability to access the application or even admins to grant and manage user access and such. This only affects the user count inside the Groups page.
- is blocked by
-
BAM-11376 Have Bamboo use Embedded Crowd instead of atlassian-user
- Closed