Uploaded image for project: 'Bamboo'
  1. Bamboo
  2. BAM-20079

Bamboo should validate external directory authentication can be achieved during 6.6 upgrades before migrating it as an embedded crowd repository

    XMLWordPrintable

Details

    Description

      Summary

      Upgrade task 60602 : Move users to Embedded Crowd (post-bootstrap) has potential to fail due to an AuthenticationException if the 60601 passes initial validation of the format but the credentials passed to the LDAP / Active Directory server aren't correct.

      Steps to Reproduce

      1. Enter a full DN into atlassian-user.xml before upgrade for the securityPrincipal (make sure it's not valid)
      2. Perform the upgrade.

      Expected Results

      Bamboo should validate that authentication can be achieved through embedded crowd with the credentials from atlassian-user.xml before moving on to upgrade task 60602.

      Actual Results

      The below exception is thrown in the atlassian-bamboo.log file:

      2018-08-29 21:56:57,267 INFO [17-UpgradeTaskBackgroundThread:pool-33-thread-1] [AbstractUpgradeManager] -----------------------------------------------------
      2018-08-29 21:56:57,267 INFO [17-UpgradeTaskBackgroundThread:pool-33-thread-1] [AbstractUpgradeManager] 60602 : Move users to Embedded Crowd (post-bootstrap)
      2018-08-29 21:56:57,267 INFO [17-UpgradeTaskBackgroundThread:pool-33-thread-1] [AbstractUpgradeManager] -----------------------------------------------------
      2018-08-29 21:56:57,787 INFO [17-UpgradeTaskBackgroundThread:pool-33-thread-1] [AtlassianUserDataMigrator] Copying 4 groups...
      2018-08-29 21:56:58,096 INFO [17-UpgradeTaskBackgroundThread:pool-33-thread-1] [UpgradeTask60602MoveUsersToEmbeddedCrowd] Migration of groups took 492.6 ms
      2018-08-29 21:56:58,098 INFO [17-UpgradeTaskBackgroundThread:pool-33-thread-1] [AtlassianUserDataMigrator] Copying 9 users...
      2018-08-29 21:56:58,286 INFO [17-UpgradeTaskBackgroundThread:pool-33-thread-1] [UpgradeTask60602MoveUsersToEmbeddedCrowd] Migration of users took 190.1 ms
      2018-08-29 21:56:58,294 INFO [17-UpgradeTaskBackgroundThread:pool-33-thread-1] [AtlassianUserDataMigrator] Upgrading external membership information using data from the database
      2018-08-29 21:56:58,295 INFO [17-UpgradeTaskBackgroundThread:pool-33-thread-1] [AtlassianUserDataMigrator] Copying 6 local memberships of LDAP users...
      2018-08-29 21:56:58,778 WARN [17-UpgradeTaskBackgroundThread:pool-33-thread-1] [AtlassianUserDataMigrator] User not found in local repository. It might be available at external repository, creating user placeholder to be filled by Crowd on LDAP synchronization. User name: [acook], group name: [bamboo-admin]
      2018-08-29 21:56:59,077 ERROR [17-UpgradeTaskBackgroundThread:pool-33-thread-1] [AbstractUpgradeManager] com.atlassian.crowd.exception.runtime.OperationFailedException: org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1]
      com.atlassian.crowd.exception.runtime.OperationFailedException: org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1]
      at com.atlassian.crowd.embedded.core.CrowdServiceImpl.addUserToGroup(CrowdServiceImpl.java:557)
      at com.atlassian.bamboo.upgrade.tasks.v6_6.ec.AtlassianUserDataMigrator.migrateMembershipInLocalGroup(AtlassianUserDataMigrator.java:389)
      at com.atlassian.bamboo.upgrade.tasks.v6_6.ec.AtlassianUserDataMigrator.access$400(AtlassianUserDataMigrator.java:71)
      at com.atlassian.bamboo.upgrade.tasks.v6_6.ec.AtlassianUserDataMigrator$4.processRowInternal(AtlassianUserDataMigrator.java:359)
      at com.atlassian.bamboo.upgrade.tasks.v6_6.ec.SessionClearingRowCallbackHandler.processRow(SessionClearingRowCallbackHandler.java:36)
      

      Notes

      At this point, you cannot update the atlassian-user.xml to fix any credentials issues.

      Workaround

      You can use the below SQL queries to update the bind DN and password to the correct credentials, directly in the Bamboo database and continue with the upgrade:

      UPDATE CWD_DIRECTORY_ATTRIBUTE SET attribute_value = 'CN=admin,CN=users,CN=accounts,DC=example,DC=COM' 
      WHERE attribute_name = 'ldap.userdn' and directory_id in (SELECT ID FROM CWD_DIRECTORY WHERE DIRECTORY_NAME = 'Upgraded atlassian-user LDAP (ldapRepository)');
      
      UPDATE CWD_DIRECTORY_ATTRIBUTE SET attribute_value = 'password' 
      WHERE attribute_name = 'ldap.password' and directory_id in (SELECT ID FROM CWD_DIRECTORY WHERE DIRECTORY_NAME = 'Upgraded atlassian-user LDAP (ldapRepository)');
      

      Attachments

        Issue Links

          Activity

            People

              mgardias Marcin Gardias
              jowen@atlassian.com Jeremy Owen
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: