Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-3931

Creating user with special characters in name in Active Directory fails

    • Icon: Bug Bug
    • Resolution: Not a bug
    • Icon: Low Low
    • None
    • 2.8
    • None
    • None

      This exists in both 2.7.2 and 2.8.

      Creating a user with slash in username in Active Directory fails. Following error message appears on screen:

      Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 80 - 00000523: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data 0 ]; remaining name '"cn=/test,OU=People,dc=sydney,dc=atlassian,dc=com"'

      And these exceptions appear in log:

      2014-05-23 07:22:34,839 http-bio-8095-exec-19 ERROR [console.action.principal.AddPrincipal] Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 80 - 00000523: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data 0
      \00]; remaining name '"cn=/../test,OU=People,dc=sydney,dc=atlassian,dc=com"'
      com.atlassian.crowd.exception.InvalidUserException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 80 - 00000523: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data 0
      \00]; remaining name '"cn=/../test,OU=People,dc=sydney,dc=atlassian,dc=com"'
      	at com.atlassian.crowd.directory.SpringLDAPConnector.addUser(SpringLDAPConnector.java:803)
      	at com.atlassian.crowd.directory.SpringLDAPConnector.addUser(SpringLDAPConnector.java:108)
      	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.addUser(DbCachingRemoteDirectory.java:467)
      	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.addUser(DirectoryManagerGeneric.java:329)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:606)
      	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
      	at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:96)
      	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:260)
      	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:94)
      	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
      	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
      	at com.sun.proxy.$Proxy29.addUser(Unknown Source)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:606)
      	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
      	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
      	at com.sun.proxy.$Proxy30.addUser(Unknown Source)
      	at com.atlassian.crowd.console.action.principal.AddPrincipal.doUpdate(AddPrincipal.java:53)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:606)
      	at com.opensymphony.xwork.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:358)
      	at com.opensymphony.xwork.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:218)
      	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:192)
      	at com.atlassian.crowd.xwork.interceptors.XsrfTokenInterceptor.intercept(XsrfTokenInterceptor.java:99)
      	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:190)
      	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:31)
      	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:190)
      	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:31)
      	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:190)
      	at com.atlassian.crowd.xwork.interceptors.SafeParametersInterceptor.intercept(SafeParametersInterceptor.java:78)
      	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:190)
      	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:31)
      	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:190)
      	at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:31)
      	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:190)
      	at com.atlassian.crowd.xwork.interceptors.TransactionalInvocation.invokeAndHandleExceptions(TransactionalInvocation.java:70)
      	at com.atlassian.crowd.xwork.interceptors.TransactionalInvocation.invokeInTransaction(TransactionalInvocation.java:56)
      	at com.atlassian.crowd.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:55)
      	at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:190)
      	at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:116)
      	at com.opensymphony.webwork.dispatcher.DispatcherUtils.serviceAction(DispatcherUtils.java:273)
      	at com.opensymphony.webwork.dispatcher.FilterDispatcher.doFilter(FilterDispatcher.java:202)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:119)
      	at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:55)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
      	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77)
      	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at com.opensymphony.webwork.dispatcher.ActionContextCleanUp.doFilter(ActionContextCleanUp.java:88)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
      	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
      	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
      	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
      	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
      	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
      	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
      	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
      	at com.atlassian.crowd.console.filter.CrowdDelegatingFilterProxy.doFilter(CrowdDelegatingFilterProxy.java:39)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
      	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
      	at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:98)
      	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
      	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
      	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
      	at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:55)
      	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
      	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
      	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77)
      	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at com.atlassian.crowd.console.filter.LicenceFilter.doFilterInternal(LicenceFilter.java:59)
      	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
      	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
      	at com.atlassian.crowd.console.filter.CrowdDelegatingFilterProxy.doFilter(CrowdDelegatingFilterProxy.java:39)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at com.atlassian.johnson.filters.AbstractJohnsonFilter.doFilter(AbstractJohnsonFilter.java:67)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.springframework.orm.hibernate4.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:151)
      	at com.atlassian.crowd.console.filter.CrowdOpenSessionInViewFilter.doFilterInternal(CrowdOpenSessionInViewFilter.java:26)
      	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at com.atlassian.crowd.plugin.web.filter.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:31)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at com.atlassian.gzipfilter.GzipFilter.doFilterInternal(GzipFilter.java:74)
      	at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:51)
      	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
      	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
      	at com.atlassian.crowd.console.filter.CrowdDelegatingFilterProxy.doFilter(CrowdDelegatingFilterProxy.java:39)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
      	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77)
      	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at com.atlassian.crowd.console.filter.CrowdCachingFilter.doFilter(CrowdCachingFilter.java:29)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
      	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at com.atlassian.crowd.plugin.web.filter.HttpContextFilter.doFilter(HttpContextFilter.java:34)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
      	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:744)
      Caused by: org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 80 - 00000523: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data 0
      \00]; remaining name '"cn=/../test,OU=People,dc=sydney,dc=atlassian,dc=com"'
      	at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:228)
      	at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:820)
      	at org.springframework.ldap.core.LdapTemplate.executeReadWrite(LdapTemplate.java:812)
      	at org.springframework.ldap.core.LdapTemplate.bind(LdapTemplate.java:990)
      	at com.atlassian.crowd.directory.ldap.LdapTemplateWithClassLoaderWrapper$6.call(LdapTemplateWithClassLoaderWrapper.java:121)
      	at com.atlassian.crowd.directory.ldap.LdapTemplateWithClassLoaderWrapper$6.call(LdapTemplateWithClassLoaderWrapper.java:118)
      	at com.atlassian.crowd.directory.ldap.LdapTemplateWithClassLoaderWrapper.invokeWithContextClassLoader(LdapTemplateWithClassLoaderWrapper.java:54)
      	at com.atlassian.crowd.directory.ldap.LdapTemplateWithClassLoaderWrapper.bind(LdapTemplateWithClassLoaderWrapper.java:118)
      	at com.atlassian.crowd.directory.SpringLDAPConnector.addUser(SpringLDAPConnector.java:797)
      	... 160 more
      Caused by: javax.naming.NamingException: [LDAP: error code 80 - 00000523: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data 0
      \00]; remaining name '"cn=/../test,OU=People,dc=sydney,dc=atlassian,dc=com"'
      	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3131)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
      	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
      	at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:420)
      	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_bind(ComponentDirContext.java:295)
      	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.bind(PartialCompositeDirContext.java:215)
      	at javax.naming.directory.InitialDirContext.bind(InitialDirContext.java:182)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:606)
      	at org.springframework.transaction.compensating.support.CompensatingTransactionUtils.performOperation(CompensatingTransactionUtils.java:69)
      	at org.springframework.ldap.transaction.compensating.manager.TransactionAwareDirContextInvocationHandler.invoke(TransactionAwareDirContextInvocationHandler.java:85)
      	at com.sun.proxy.$Proxy367.bind(Unknown Source)
      	at org.springframework.ldap.core.LdapTemplate$21.executeWithContext(LdapTemplate.java:992)
      	at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:817)
      	... 167 more
      

      ekaukonen suggests that it could be related to the recent upgrade of Spring LDAP and may have something to do with escaping of the slashes:

      Eero Kaukonen
      8:43 AM
      slashes in dn names should be escaped: http://msdn.microsoft.com/en-us/library/aa366101%28v=vs.85%29.aspx
      we've recently updated the spring ldap version, I suspect there's a bug in there somewhere
      it/us should be escaping that username
      anyways, if we're not properly escaping the usernames, it sounds like a blocker for 2.8
      I suspect somebody is constructing DNs by string concatenation or something, since javax.naming.ldap.Rdn seems to escape everything properly

      Have confirmed that this problem does not happen with OpenLDAP and ApacheDS.

          Form Name

            [CWD-3931] Creating user with special characters in name in Active Directory fails

            joe added a comment -

            As defined here, this is a consequence of using sAMAccountName. I'm going to resolve it. If there's demand, one of these options should be promoted to an issue:

            1. Do not always add sAMAccountName.
            2. Use userPrincipalName instead, which must be formatted according to RFC 822.

            joe added a comment - As defined here, this is a consequence of using sAMAccountName . I'm going to resolve it. If there's demand, one of these options should be promoted to an issue: Do not always add sAMAccountName. Use userPrincipalName instead, which must be formatted according to RFC 822.

            eero (Inactive) added a comment - - edited

            Looks like that this problem is not caused by invalid escaping of the cn name. It's actually caused by limitations of the sAMAccountName attribute of Active Directory (http://ldapwiki.willeke.com/wiki/SamAccountName). Even if the configuration defines a different username attribute, sAMAccountName is always added for AD.

            The facts:

            1. The attribute is only used by long obsolete operating systems, such as Windows NT 4.0
            2. It's a required attribute in all Active Directories, but AD 2003 and newer will add a random default value if you create an user without it.
            3. In modern Microsoft operating systems userPrincipalName attribute is used instead. It must be formatted according to RFC 822.

            Here are the things we could fix:

            1. Do not always add sAMAccountName. The current behaviour is that even if you change the default username attribute, sAMAccountName is always added. This would allow arbitrary characters in the username, even though from the end users point of view it might not make much sense
            2. Add better error messaging when the username contains illegal characters. We could probably parse the exception message from AD.

            The problem I see with fixing this issue by migrating away from sAMAccountName to other attributes:

            1. userPrincipalName can't contain arbitrary stuff either, so we would still need have some restrictions on it
            2. using something else, such as cn, might be confusing since it's not what users commonly use to login (same goes for using the complete userPrincipalName, which is usually in the form of <sAMAccountName>@<domain>)
            3. there might be other legacy (non-microsoft ) applications still connected to the same Active Directory

            eero (Inactive) added a comment - - edited Looks like that this problem is not caused by invalid escaping of the cn name. It's actually caused by limitations of the sAMAccountName attribute of Active Directory ( http://ldapwiki.willeke.com/wiki/SamAccountName ). Even if the configuration defines a different username attribute, sAMAccountName is always added for AD. The facts: The attribute is only used by long obsolete operating systems, such as Windows NT 4.0 It's a required attribute in all Active Directories, but AD 2003 and newer will add a random default value if you create an user without it. In modern Microsoft operating systems userPrincipalName attribute is used instead. It must be formatted according to RFC 822. Here are the things we could fix: Do not always add sAMAccountName. The current behaviour is that even if you change the default username attribute, sAMAccountName is always added. This would allow arbitrary characters in the username, even though from the end users point of view it might not make much sense Add better error messaging when the username contains illegal characters. We could probably parse the exception message from AD. The problem I see with fixing this issue by migrating away from sAMAccountName to other attributes: userPrincipalName can't contain arbitrary stuff either, so we would still need have some restrictions on it using something else, such as cn, might be confusing since it's not what users commonly use to login (same goes for using the complete userPrincipalName, which is usually in the form of <sAMAccountName>@<domain>) there might be other legacy (non-microsoft ) applications still connected to the same Active Directory

            Zhuang Xu (Inactive) added a comment - - edited

            This specific problem exists in 2.5.1 too.

            Zhuang Xu (Inactive) added a comment - - edited This specific problem exists in 2.5.1 too.

            It also exists in 2.6.7. I will try 2.5.1 now.

            Zhuang Xu (Inactive) added a comment - It also exists in 2.6.7. I will try 2.5.1 now.

            joe added a comment -

            This should have been fixed by CWD-2042 – do we have a regression since 2.5.1, or was this case missed when testing that fix?

            joe added a comment - This should have been fixed by CWD-2042 – do we have a regression since 2.5.1, or was this case missed when testing that fix?

            Thanks for checking again, Zhuang

            Niraj Bhawnani added a comment - Thanks for checking again, Zhuang

            Sorry I made an unforgivable mistake this morning - I brought up a LXC container with a 2.7.2 instance installed, and it had a pre-configured directory called "AD" in it (configured by me previously). I thought, "Great, we've already got an Active Directory directory connected", but I didn't realise that the "AD" there actually means "Apache Directory Service", rather than "Active Directory" as I normally use the acronym for, and it didn't occur to me to double check the configuration.

            Yes, the problem exists in 2.7.2 too at least. I will try to see since when it was introduced.

            Sorry about the confusion!

            Zhuang Xu (Inactive) added a comment - Sorry I made an unforgivable mistake this morning - I brought up a LXC container with a 2.7.2 instance installed, and it had a pre-configured directory called "AD" in it (configured by me previously). I thought, "Great, we've already got an Active Directory directory connected", but I didn't realise that the "AD" there actually means "Apache Directory Service", rather than "Active Directory" as I normally use the acronym for, and it didn't occur to me to double check the configuration. Yes, the problem exists in 2.7.2 too at least. I will try to see since when it was introduced. Sorry about the confusion!

            Niraj Bhawnani added a comment - - edited

            Hmm, are we sure Crowd 2.7.x is not affected? Confluence 5.6 (master) is running:

                    <crowd.version>2.7.1</crowd.version>
                    <crowd.embedded.version>1.7.3</crowd.embedded.version>
            

            and it is running into this problem.

            Niraj Bhawnani added a comment - - edited Hmm, are we sure Crowd 2.7.x is not affected? Confluence 5.6 (master) is running: <crowd.version> 2.7.1 </crowd.version> <crowd.embedded.version> 1.7.3 </crowd.embedded.version> and it is running into this problem.

            Zhuang Xu (Inactive) added a comment - - edited

            So far the following characters are confirmed to cause the problem:

            • forward slash
            • back slash
            • comma
            • semicolon
            • plus sign (+)
            • star sign (*)
            • angle brackets (< and >)
            • double quotes
            • question mark
            • pipe (|)

            Also, interestingly, although dot (.) in itself does not cause problems, two dots (either one after another immediately, or separated by other characters) will cause problems - that's why nbhawnani's test data triggered the problem.

            Zhuang Xu (Inactive) added a comment - - edited So far the following characters are confirmed to cause the problem: forward slash back slash comma semicolon plus sign (+) star sign (*) angle brackets (< and >) double quotes question mark pipe (|) Also, interestingly, although dot (.) in itself does not cause problems, two dots (either one after another immediately, or separated by other characters) will cause problems - that's why nbhawnani 's test data triggered the problem.

            FYI, it's not just slashes. It also happens with a username like paddy.o'brien@atlassian.com

            Niraj Bhawnani added a comment - FYI, it's not just slashes. It also happens with a username like paddy.o'brien@atlassian.com

              ekaukonen eero (Inactive)
              zxu@atlassian.com Zhuang Xu (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: