In a client application, directory synchronisation fails with a duplicate key error, when adding a group membership. This will appear in the client log.
Sample Confluence log:
Sample JIRA log:
This also happens when using JIRA as a user directory server for other applications.
The application in Crowd has multiple directories, and a user name exists in both directories. When a user is a member of a group in one directory, then added to the same named group in the other directory, then when clients synchronise again, they try to add the user to that group. Since that user is already a member of the group, it's a duplicate key error.
- Create two internal directories in crowd
- Create a user in each of them, with the same name
- Create a group in both directories
- Add the user to a group in one of the directories
- Add an application that includes both directories
- Connect a client to that application in the Crowd server
- Ensure it synchronises at least once
- Add the user to the same group in the directory where it didn't already have that membership
- Synchronise the client again
Two ways to prevent it from occurring:
- Ensure that there are no overlaps in usernames between directories, or ensure that groups are not added when the membership already exists in one directory (process change). This may be hard to manage if one of the directories is an LDAP synchronised directory, or synchronised from another Crowd server out of the control of the administrator.
- Create two applications, each with only one of the directories in them. Then set up two user directories in the client instead. This does not work, if JIRA is the Crowd server, as JIRA simply uses all directories whenever a client connects in.
If it does occur in the client, you can clear the remote directory cache to stop it from happening until the next time a user is added to a group this way:
- Disable the directory
- Enable the directory
- Force a full synchronisation