[CWD-1102] Unfiltered groups attached to users

Type: Bug
Resolution: Obsolete
Priority: Medium
Fix Version/s: None
Affects Version/s: 1.4.2
Component/s: Directory - LDAP
Labels:
None
Environment:

Windows 2003 Server

Support reference count:
1
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

I have an instance of Crowd 1.4.2, with a connector to a Microsoft Active Directory Server running on Windows 2003 R2 SP 2.
We have many groups in our AD – so many that they're unwieldy to work with all at once. So I created an OU containing only the groups I need. I used this OU as filter by referencing it in my base DN for groups in the connector configurator: ou=Extranet,ou=Groups.

In one way, this works. If I view the list of available groups in Crowd for that directory, it shows just what it should – the 6 groups I care about. But if I bring up a user record and examine their groups, I see ALL the AD groups they're a part of, not just the filtered ones I care about. If I click into such a group, I do get an inspect/edit screen, but with a red warning bar. If I click from that group into a list of its users, I see nothing.

Likewise in Jira, which I integrated with Crowd, I get similar behavior in terms of seeing the additional groups, and being led to belive I can edit/inspect them, then getting warnings and failures.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

crowd-0.jpg
32 kB
03/Jun/2008 4:23 PM
crowd-1.jpg
33 kB
03/Jun/2008 4:23 PM
crowd-3.jpg
40 kB
03/Jun/2008 4:23 PM

is blocked by

CWD-1459 Group/User memberships do not obey the tree scope or object filters

Closed

Anselm McClain added a comment - 08/Aug/2008 2:50 PM

Here's the text of the support ticket I logged that was resolved by directing me to this a page. I'm not including the screenshots as they are a bit too sensitive for a public ticket, but if you follow along you can see that this is definitely buggy behavior (especially re. JIRA filter handling):

We are using Crowd 1.4.4 to integrate our AD environment with JIRA 3.12.3, Confluence , and Fisheye installations. We have selected users and groups coming in from our Active Directory infrastructure, with specific filters on both users and groups to limit the objects that are available to Crowd and integrated applications.

The issue we are seeing is that, while the list of groups is correct when querying our directory for groups, we see other groups that should be excluded when looking at a single user and his/her group memberships. It appears as though Crowd 1.4.4 is looking up groups via the memberOf attribute, but not then using SIDs or full DNs to drop groups out of the membership list that do not match the group LDAP filter.

I think this is different from earlier versions of Crowd, and it is creating production problems and exceptions in JIRA due to some group naming conflicts and inconsistent permission handling.
Example

As an example - we have two groups named Telecom, in different OUs, which is valid in AD. One is in an OU that is imported to Crowd; the other is not and should not be in Crowd (screenshot 1 shows that we only have one list - good). We have a user who is a member of the Telecom group that is not included in our Crowd LDAP filter. When we look at the membership list of the Telecom list that is imported into Crowd, we do not see the user (screenshot 2 - also good). However, when we look at the user's record and switch to the Group tab, we do see the Telecom group, hyperlinked even to the Crowd group that does not include him. Additionally, we see other groups in the user's membership list that don't match any Crowd groups by name - they're mailing lists that shouldn't be in Crowd at all. (screenshot 3 - bad).

In this case, we end up with a user who both "is and is not" in the Telecom group. In JIRA, we have a filter that is shared with the Telecom group and shows tickets in our Telecom project. If the user tries to load a dashboard portlet showing statistics for his various filters, JIRA throws an exception because (a) part of the application thinks he is in the Telecom group and should have the filter, but (b) another part of JIRA doesn't think he's in the Telecom group and dies trying to access the issue counts.

I have seen some other issues too where users are getting groups that should not be in Crowd when choosing groups for filter sharing. Perhaps the part of Jira that is evaluating groups vis-a-vis filters is not consistent?

Anselm McClain added a comment - 08/Aug/2008 2:50 PM Here's the text of the support ticket I logged that was resolved by directing me to this a page. I'm not including the screenshots as they are a bit too sensitive for a public ticket, but if you follow along you can see that this is definitely buggy behavior (especially re. JIRA filter handling): We are using Crowd 1.4.4 to integrate our AD environment with JIRA 3.12.3, Confluence , and Fisheye installations. We have selected users and groups coming in from our Active Directory infrastructure, with specific filters on both users and groups to limit the objects that are available to Crowd and integrated applications. The issue we are seeing is that, while the list of groups is correct when querying our directory for groups, we see other groups that should be excluded when looking at a single user and his/her group memberships. It appears as though Crowd 1.4.4 is looking up groups via the memberOf attribute, but not then using SIDs or full DNs to drop groups out of the membership list that do not match the group LDAP filter. I think this is different from earlier versions of Crowd, and it is creating production problems and exceptions in JIRA due to some group naming conflicts and inconsistent permission handling. Example As an example - we have two groups named Telecom, in different OUs, which is valid in AD. One is in an OU that is imported to Crowd; the other is not and should not be in Crowd (screenshot 1 shows that we only have one list - good). We have a user who is a member of the Telecom group that is not included in our Crowd LDAP filter. When we look at the membership list of the Telecom list that is imported into Crowd, we do not see the user (screenshot 2 - also good). However, when we look at the user's record and switch to the Group tab, we do see the Telecom group, hyperlinked even to the Crowd group that does not include him. Additionally, we see other groups in the user's membership list that don't match any Crowd groups by name - they're mailing lists that shouldn't be in Crowd at all. (screenshot 3 - bad). In this case, we end up with a user who both "is and is not" in the Telecom group. In JIRA, we have a filter that is shared with the Telecom group and shows tickets in our Telecom project. If the user tries to load a dashboard portlet showing statistics for his various filters, JIRA throws an exception because (a) part of the application thinks he is in the Telecom group and should have the filter, but (b) another part of JIRA doesn't think he's in the Telecom group and dies trying to access the issue counts. I have seen some other issues too where users are getting groups that should not be in Crowd when choosing groups for filter sharing. Perhaps the part of Jira that is evaluating groups vis-a-vis filters is not consistent?

Paul Boyum added a comment - 14/Jun/2008 4:05 AM

Our Active Directory environment is set up in a similar manner – with a separate OU for Crowd.

It appears that Crowd is now getting group memberships from the memberOf attribute in LDAP (which is a good thing). However, it would be nice to not see all the groups that are outside of the group base DN.

Paul Boyum added a comment - 14/Jun/2008 4:05 AM Our Active Directory environment is set up in a similar manner – with a separate OU for Crowd. It appears that Crowd is now getting group memberships from the memberOf attribute in LDAP (which is a good thing). However, it would be nice to not see all the groups that are outside of the group base DN.

Steve Lane added a comment - 07/Jun/2008 8:22 PM

I'll just add that the behavior I was hoping for (I'll avoid the annoying "now the way it SHOULD work" :->) was that, by limiting my groups query to a subset of all groups in the LDAP store, that I'd only ever see those groups from the perspective of Jira/Confluence/Crowd. The feature might well not be defined that way, of course. But the ability to see those other groups seems to lead to inconsistencies and outright errors with the warnings as described.

Steve Lane added a comment - 07/Jun/2008 8:22 PM I'll just add that the behavior I was hoping for (I'll avoid the annoying "now the way it SHOULD work" :->) was that, by limiting my groups query to a subset of all groups in the LDAP store, that I'd only ever see those groups from the perspective of Jira/Confluence/Crowd. The feature might well not be defined that way, of course. But the ability to see those other groups seems to lead to inconsistencies and outright errors with the warnings as described.

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: Anselm McClain added a comment - 08/Aug/2008 2:50 PM

Expand comment: Anselm McClain added a comment - 08/Aug/2008 2:50 PM

Collapse comment: Paul Boyum added a comment - 14/Jun/2008 4:05 AM

Expand comment: Paul Boyum added a comment - 14/Jun/2008 4:05 AM

Collapse comment: Steve Lane added a comment - 07/Jun/2008 8:22 PM

Expand comment: Steve Lane added a comment - 07/Jun/2008 8:22 PM

People

Dates