-
Bug
-
Resolution: Fixed
-
Medium
-
3.5
-
None
The default user search filter specified in 3.4 and earlier could find user accounts that don't contain username attributes. After upgrade, if the filter finds bad data, this will prevent any LDAP synchronisation from completing, and will make any upgrade attempt with this configuration fail.
We should automatically tighten the filter during the upgrade process to include the relevant username attribute by 'and'ing it with the one given by the user. E.g. for Active Directory, with the username attribute 'sAMAccountName', the user search filter could be given as '(objectCategory=person)', but we should be change it to '(&(objectCategory=Person)(sAMAccountName=*))'. For LDAP, with the username attribute 'cn', the user search filter could be given as '(objectClass=inetorgperson)', but we should change it to '(&(objectClass=inetorgperson)(cn=*))'. The same could be done for user attribute 'oid', and so forth.
While we're implementing this, we should validate that any given wildcard part of the search filter matches the user attribute - if they don't match, we'll never see any results we can use.
Workaround
Before upgrading, change atlassian-user.xml so it's got a filter for the username attribute in it. For example with Active Directory:
<userSearchFilter>(&(objectCategory=person)(sAMAccountName=*))</userSearchFilter>
- duplicates
-
CONFSERVER-22137 Fatal Error thrown if an ldap entity satisfies the search filter but does not have a necessary attribute
- Closed
- is related to
-
CONFSERVER-7139 Group searches repeat the groupSearchFilter criteria
- Closed
-
CWD-2390 Crowd should ignore users that don't have a username attribute during sync
- Closed