Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-19995

Active Directory User Repositories cannot be migrated to Embedded Crowd without Distinguished Name in securityPrincipal

    XMLWordPrintable

Details

    Description

      Summary

      When upgrading Bamboo to version 6.6, instances that are connected to Active Directory (AD) and not using a Distinguished Name for the securityPrincipal in atlassian-user.xml fail to migrate to Embedded Crowd, causing the Upgrade Tasks 60601 (and thus the upgrade itself) to fail.

      Environment

      • Bamboo before 6.6.x
      • Upgrading to 6.6.x
      • Using Active Directory

      Steps to Reproduce

      1. Set up Bamboo linked to Active Directory
      2. Use a securityPrincipal that is not a DN in atlassian-user.xml
      3. Upgrade to 6.6.x

      Expected Results

      Users are migrated from atlassian-user to Embedded Crowd and the upgrade completes.

      Actual Results

      The below exception is thrown in the atlassian-bamboo.log file if the AD <securityPrincipal>foo@bar</securityPrincipal> is an email address:

      2018-07-16 14:49:37,247 INFO [localhost-startStop-1] [BootstrapUpgradeManagerImpl] ---------------------------------------------------------------------------------------------
2018-07-16 14:49:37,247 INFO [localhost-startStop-1] [BootstrapUpgradeManagerImpl] 60601 : Validate existing Atlassian User directories for Embedded Crowd migration (bootstrap)
2018-07-16 14:49:37,247 INFO [localhost-startStop-1] [BootstrapUpgradeManagerImpl] ---------------------------------------------------------------------------------------------
2018-07-16 14:49:37,278 INFO [localhost-startStop-1] [AbstractDbmsBean] Detected schema: dbo
2018-07-16 14:49:37,309 INFO [localhost-startStop-1] [AtlassianUserMigrator] Validating repository [adRepository]
2018-07-16 14:49:37,325 ERROR [localhost-startStop-1] [LdapRepositoryConfigurationMigrator] Property securityPrincipal is not a valid distinguished name: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 8. Encountered: "@" (64), after : ""
2018-07-16 14:49:37,325 INFO [localhost-startStop-1] [AtlassianUserMigrator] Validated repository [adRepository] with [com.atlassian.bamboo.upgrade.tasks.v6_6.ec.LdapRepositoryConfigurationMigrator@51cbd719]
2018-07-16 14:49:37,325 INFO [localhost-startStop-1] [AtlassianUserMigrator] Validating repository [hibernateRepository]
2018-07-16 14:49:37,325 INFO [localhost-startStop-1] [AtlassianUserMigrator] Validated repository [hibernateRepository] with [com.atlassian.bamboo.upgrade.tasks.v6_6.ec.HibernateRepositoryConfigurationMigrator@7aa9a5f2]
2018-07-16 14:49:37,325 ERROR [localhost-startStop-1] [BootstrapUpgradeManagerImpl] Task 60601 failed
java.lang.RuntimeException: com.atlassian.bamboo.upgrade.exception.ValidationException: Bamboo can't migrate Atlassian User repositories due to validation errors. Please refer to logs for more information.
...
Caused by: com.atlassian.bamboo.upgrade.exception.ValidationException: Bamboo can't migrate Atlassian User repositories due to validation errors. Please refer to logs for more information.
...
2018-07-16 14:49:37,325 FATAL [localhost-startStop-1] [DefaultBootstrapManager] Validation tests failed: Bamboo can't migrate Atlassian User repositories due to validation errors. Please refer to logs for more information.

      The below exception is thrown in the atlassian-bamboo.log file if the AD <securityPrincipal>foo</securityPrincipal> is not an email address:

      2018-07-16 23:00:40,205 INFO [localhost-startStop-1] [BootstrapUpgradeManagerImpl] ---------------------------------------------------------------------------------------------
2018-07-16 23:00:40,205 INFO [localhost-startStop-1] [BootstrapUpgradeManagerImpl] 60601 : Validate existing Atlassian User directories for Embedded Crowd migration (bootstrap)
2018-07-16 23:00:40,205 INFO [localhost-startStop-1] [BootstrapUpgradeManagerImpl] ---------------------------------------------------------------------------------------------
2018-07-16 23:00:40,252 INFO [localhost-startStop-1] [AbstractDbmsBean] Detected schema: dbo
2018-07-16 23:00:40,283 INFO [localhost-startStop-1] [AtlassianUserMigrator] Validating repository [adRepository]
2018-07-16 23:00:40,314 ERROR [localhost-startStop-1] [LdapRepositoryConfigurationMigrator] Property securityPrincipal is not a valid distinguished name: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5.  Encountered: "\\" (92), after : ""
2018-07-16 23:00:40,314 INFO [localhost-startStop-1] [AtlassianUserMigrator] Validated repository [adRepository] with [com.atlassian.bamboo.upgrade.tasks.v6_6.ec.LdapRepositoryConfigurationMigrator@3d7f4da0]
2018-07-16 23:00:40,314 INFO [localhost-startStop-1] [AtlassianUserMigrator] Validating repository [hibernateRepository]
2018-07-16 23:00:40,314 INFO [localhost-startStop-1] [AtlassianUserMigrator] Validated repository [hibernateRepository] with [com.atlassian.bamboo.upgrade.tasks.v6_6.ec.HibernateRepositoryConfigurationMigrator@7ac71837]
2018-07-16 23:00:40,314 ERROR [localhost-startStop-1] [BootstrapUpgradeManagerImpl] Task 60601 failed
java.lang.RuntimeException: com.atlassian.bamboo.upgrade.exception.ValidationException: Bamboo can't migrate Atlassian User repositories due to validation errors. Please refer to logs for more information.
...
Caused by: com.atlassian.bamboo.upgrade.exception.ValidationException: Bamboo can't migrate Atlassian User repositories due to validation errors. Please refer to logs for more information.
... 
2018-07-16 23:00:40,314 FATAL [localhost-startStop-1] [DefaultBootstrapManager] Validation tests failed: Bamboo can't migrate Atlassian User repositories due to validation errors. Please refer to logs for more information.

      Workaround 1

      1. Stop Bamboo
      2. Update the securityPrincipal to use Distinguished Name format
      3. Start Bamboo

      Workaround 2

      Summary

      Remove AD configuration from atlassian-user.xml, and upgrade using Hibernate user directory.
      All existing membership between AD user and Bamboo local group will be lost.

      Detail

      1. Stop your pre-6.6.x Bamboo
      2. Remove the AD configuration (<ldap>...</ldap>) tags from atlassian-user.xml
      3. Back up the Bamboo database
      4. Delete AD users from Bamboo database
        This will not affect your Active Directory, it is modifying Bamboo's user directory information 
        DELETE FROM OS_PROPERTYENTRY WHERE ENTITY_ID IN (SELECT ID FROM EXTERNAL_ENTITIES);
DELETE FROM EXTERNAL_ENTITIES;
DELETE FROM EXTERNAL_MEMBERS;
      5. Find the admin user in Bamboo's Hibernate user database: 
        -- replace <username> with your admin username
SELECT * FROM USERS WHERE NAME='<username>';
      6. Start your pre-6.6.x Bamboo instance to verify you can log in with the internal admin user found in Step 5
      7. Shut down your pre-6.6.x Bamboo instance
      8. Upgrade to 6.6.x
      9. After upgrade, configure LDAP at Administration >> Security >> User directories

      Attachments

        Issue Links

          is cloned as

          BDEV-14985 Loading...

          Activity

            People

              achystoprudov Alexey Chystoprudov
              ezeidan Elias Zeidan (they/them)
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: