Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-58650

Incremental syncs of LDAP users from JIRA to Confluence can cause the Confluence Audit Log to be filled with frivolous "User details updated" entries

XMLWordPrintable

      Issue Summary

      In specific conditions, the Confluence Audit Log can be filled with "User details updated" entries, despite no user details actually changing.

      JIRA needs to be connected to LDAP via a Delegated Authentication directory with "Update User attributes on Login" enabled. Confluence then pulls the users from JIRA via an incremental sync (with JIRA acting as a user server).

      After a user logs in to JIRA, and Confluence subsequently performs an incremental sync of the JIRA user directory, Confluence will create an Audit Log entry for each of those users who have authenticated into JIRA. In a larger environment, can quickly fill up the Audit Log UI such that it is no longer useful for an administrator.

      Environment

      Tested in:

      • Confluence 6.13.4
      • JIRA 8.3.0
      • LDAP server: Apache Directory Server 1.5

      Steps to Reproduce

      Prep work:

      1. In JIRA, create a Delegated Authentication directory to LDAP with the "Update User attributes on Login" option checked (which itself requires "Copy User on Login" to be checked as well)
      2. Also configure the directory auto-add users to a JIRA permission group, such as jira-core-users, so that they can properly log into JIRA
      3. In JIRA, go to User Server and add an application, so that Confluence can connect to JIRA for user management
      4. In Confluence, create a JIRA Server user directory and connect to JIRA. Under "Advanced", make sure Incremental Sync is enabled (this is the default behavior)
      5. Log into JIRA with an LDAP user
      6. In Confluence, sync the JIRA directory to pull in the user

      Reproducing the problem:

      1. In JIRA: log out with the LDAP user, and log back in
      2. In Confluence: using an admin user, trigger an incremental sync of the JIRA user directory
      3. Go to Confluence Admin > Audit Log and observe the results

      Expected Results

      Nothing is logged in the Confluence Audit Log relating to the user

      Actual Results

      Every JIRA authentication followed by an incremental sync to Confluence results in a "User details updated" Audit Log entry for said user. When the admin clicks "Show more", the entry is blank as no user details are actually updated.

      Workaround

      Only way to avoid this is to either disable incremental syncing in Confluence (since this problem does not occur with full syncs), or disable "Update User attributes on Login" in the LDAP directory JIRA-side. However, changing these options will have functional impacts in JIRA and Confluence that an admin should be aware of:

      • Disabling incremental sync can cause Confluence to do more a lot work than needed when pulling user management content from JIRA
      • Disabling "Update User attributes on Login" means that when users authenticate, JIRA will no longer update the users' records in its database with whatever is upstream in LDAP

              Unassigned Unassigned
              rchang Robert Chang (Inactive)
              Votes:
              3 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: