Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-1140

LDAP directory: error code 21 when attempting to update group with empty or whitespace description for the second time

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Medium Medium
    • 2.7.1
    • 1.4.3
    • Directory - LDAP

      When attempting to de-activate a group in OpenLDAP the following exception is thrown:

      2008-06-27 15:25:59,550 http-8095-1 ERROR [console.action.group.UpdateGroup] [LDAP: error code 21 - description: value #0 invalid per syntax]; nested exception is javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - description: value #0 invalid per syntax]; remaining name 'cn=a-group, o=sgi, c=us'
org.springframework.ldap.InvalidAttributeValueException: [LDAP: error code 21 - description: value #0 invalid per syntax]; nested exception is javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - description: value #0 invalid per syntax]; remaining name 'cn=a-group, o=sgi, c=us'
	at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:122)
	at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:786)
	at org.springframework.ldap.core.LdapTemplate.executeReadWrite(LdapTemplate.java:779)
	at org.springframework.ldap.core.LdapTemplate.modifyAttributes(LdapTemplate.java:951)
	at com.atlassian.crowd.integration.directory.connector.SpringLDAPConnector.updateGroup(SpringLDAPConnector.java:1081)
	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.updateGroup(DirectoryManagerGeneric.java:427)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)

      Also, when de-activating a user, the update succeeds but the box remains checked.

            [CWD-1140] LDAP directory: error code 21 when attempting to update group with empty or whitespace description for the second time

            Caspar Krieger (Inactive) added a comment -

            I've reproduced this with ApacheDS and ActiveDirectory too, so it's not OpenLDAP-specific.

            Caspar Krieger (Inactive) added a comment - I've reproduced this with ApacheDS and ActiveDirectory too, so it's not OpenLDAP-specific.

            Caspar Krieger (Inactive) added a comment -

            The error code 21 here when updating the group comes from trying to twice update a group without a description set (or with a description consisting of whitespace); the first time, Crowd will see there's no description attribute and will update the group by adding the blank/whitespace description, and the second time Crowd will find the description attribute but disregard it because it's blank/whitespace, and will then try to add another description attribute to the group with a blank/whitespace value. An attribute with that value already exists, so that fails and causes the error 21 saying the value is invalid.

            Furthermore, once a blank/whitespace description attribute is present for a group in LDAP, Crowd may not let it to be changed to a different description, for which I've raised CWD-3634 (LDAP Group description change succeeds but is not recognised if a whitespace description attribute is present).

            Hence, I will update the title of this issue to reflect that the problem here is due to updating a group with an empty or blank description after the first time, and remove mention of being able to deactivate groups and users.

            If you're watching this issue because you want to deactivate users, please vote for and watch the following issues:

            • CWD-995 for Active Directory (implemented for the upcoming 2.7 release)
            • CWD-1740 for ApacheDS
            • CWD-2762 for OpenLDAP
            • CWD-1930 for a UI to bulk activate and deactivate users

            If you're watching this issue because you want to deactivate groups, please see CWD-2033.

            Caspar Krieger (Inactive) added a comment - The error code 21 here when updating the group comes from trying to twice update a group without a description set (or with a description consisting of whitespace); the first time, Crowd will see there's no description attribute and will update the group by adding the blank/whitespace description, and the second time Crowd will find the description attribute but disregard it because it's blank/whitespace, and will then try to add another description attribute to the group with a blank/whitespace value. An attribute with that value already exists, so that fails and causes the error 21 saying the value is invalid. Furthermore, once a blank/whitespace description attribute is present for a group in LDAP, Crowd may not let it to be changed to a different description, for which I've raised CWD-3634 ( LDAP Group description change succeeds but is not recognised if a whitespace description attribute is present ). Hence, I will update the title of this issue to reflect that the problem here is due to updating a group with an empty or blank description after the first time, and remove mention of being able to deactivate groups and users. If you're watching this issue because you want to deactivate users, please vote for and watch the following issues: CWD-995 for Active Directory (implemented for the upcoming 2.7 release) CWD-1740 for ApacheDS CWD-2762 for OpenLDAP CWD-1930 for a UI to bulk activate and deactivate users If you're watching this issue because you want to deactivate groups, please see CWD-2033 .

            Paris Holley added a comment -

            This is import to us as well. Currently, Jira will bail if a crowd user no longer exists so the only thing we can do is remove groups from a user to deactivate an account causing our license to still be used.

            Paris Holley added a comment - This is import to us as well. Currently, Jira will bail if a crowd user no longer exists so the only thing we can do is remove groups from a user to deactivate an account causing our license to still be used.

            Keir Novik added a comment -

            Has a fix for this bug been scheduled yet?

            Keir Novik added a comment - Has a fix for this bug been scheduled yet?

            Steve Hillman added a comment -

            As Michael said, this will soon impact our licensing. We want to be able to have an account not count towards a license, but still "exist" so that we have a record of it.

            Is there another way to do this? Is there a different, more appropriate bug/RFE we should be following?

            Steve Hillman added a comment - As Michael said, this will soon impact our licensing. We want to be able to have an account not count towards a license, but still "exist" so that we have a record of it. Is there another way to do this? Is there a different, more appropriate bug/RFE we should be following?

            Deleted Account (Inactive) added a comment -

            Has this been fixed in 1.6? We have a 500 user license, hitting 350, want to
            keep IDs around for an audit trail of contributions over time, but don't want 't
            them active. In a short while, you will be forcing us to get a larger license, which we don't want or
            need.

            Deleted Account (Inactive) added a comment - Has this been fixed in 1.6? We have a 500 user license, hitting 350, want to keep IDs around for an audit trail of contributions over time, but don't want 't them active. In a short while, you will be forcing us to get a larger license, which we don't want or need.

            David O'Flynn [Atlassian] added a comment -

            Hi Eric,

            We don't have a date for this fix scheduled yet. Unfortunately, different directories support the notion of active/inactive differently, complicating the work. We'll endeavour to have it fixed for 1.6, but I can't promise that it'll make it.

            Regards,
            Dave.

            David O'Flynn [Atlassian] added a comment - Hi Eric, We don't have a date for this fix scheduled yet. Unfortunately, different directories support the notion of active/inactive differently, complicating the work. We'll endeavour to have it fixed for 1.6, but I can't promise that it'll make it. Regards, Dave.

            Eric Anderson added a comment -

            When is this going to be fixed?

            On 9/23/08 5:22 PM, "Donna McGahan [Atlassian] (JIRA)" <jira@atlassian.com> wrote:

            [ http://jira.atlassian.com/browse/CWD-1140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=130267#action_130267 ]

            Donna McGahan [Atlassian] commented on CWD-1140:
            ------------------------------------------------

            Also cannot de-activate users or groups in AD.


            This message is automatically generated by JIRA.
            -
            If you think it was sent incorrectly contact one of the administrators: http://jira.atlassian.com/secure/Administrators.jspa
            -
            For more information on JIRA, see: http://www.atlassian.com/software/jira

            Eric Anderson added a comment - When is this going to be fixed? On 9/23/08 5:22 PM, "Donna McGahan [Atlassian] (JIRA)" <jira@atlassian.com> wrote: [ http://jira.atlassian.com/browse/CWD-1140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=130267#action_130267 ] Donna McGahan [Atlassian] commented on CWD-1140 : ------------------------------------------------ Also cannot de-activate users or groups in AD. – This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.atlassian.com/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

            DonnaA added a comment -

            Also cannot de-activate users or groups in AD.

            DonnaA added a comment - Also cannot de-activate users or groups in AD.

              ckrieger Caspar Krieger (Inactive)
              donna@atlassian.com DonnaA
              Affected customers:
              6 This affects my team
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: