Local Crowd admin account is unable to login to Crowd when LDAP directory is locked out

Summary

Local Crowd admin account is unable to login to Crowd when LDAP directory is locked out

Environment

• Reproduced on Crowd 2.8.3 and Crowd 2.8.4
• Encryption method is atlassian-security
• Microsoft Active Directory server is first in order under Applications > Crowd > Directories
  • Allow all to authenticate is set to True
• Cache enabled is disabled

Steps to Reproduce

1. Log out of Crowd (if logged in - to release the token)
2. Login to crowd database with your favorite tool
3. Run this to find the directory_id of the affected directory:
   • select * from cwd_directory_attribute where attribute_name='ldap.url';
4. Copy the directory_id ex: 123456
5. Paste it in place of <id> in the following query:
   • select * from cwd_directory_attribute where attribute_name='ldap.password' and directory_id=<id>;
   • example: select * from cwd_directory_attribute where attribute_name='ldap.password' and directory_id=123456;
6. Replace <password> below with either a blank or incorrect password, then paste the same directory_id in place of <id> below:
   • update cwd_directory_attribute set attribute_value='' where attribute_name='ldap.password' and directory_id=<id>;
7. Restart Crowd
8. If the update was successful, you can no longer login to Crowd
   • If you are still able to login, log out (to release the token), then try to login again

Expected Results

Local crowd admin user can login normally

Actual Results

The user is unable to login and receives the following login error in the UI:

Invalid login.

The below exception is thrown in the atlassian-crowd.log file:

Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090749, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580

Notes

• Seems like it could be related to CWD-1763, however this was fixed in 2.5.2
• Uncertain what the user did in the UI that caused this, but there were changes in the UI made that changed the ldap.password to blank in the cwd_directory_attribute table.
• Not caused by duplicate users

Workaround

1. Login to your crowd database with your favorite tool
2. Run this to find the directory_id of the affected directory:
   • select * from cwd_directory_attribute where attribute_name='ldap.url';
3. Copy the directory_id from the affected directory, ex: 654321
4. Paste it in place of <id> in the following query:
   • select * from cwd_directory_attribute where attribute_name='ldap.password' and directory_id=<id>;
   • This shows the currently set password for ldap, which needs to be changed
   • Now, we need to modify this to use the correct ldap password
5. Replace <password> below with the correct password, then paste the same directory_id in place of <id> below:
   • update cwd_directory_attribute set attribute_value='<password>' where attribute_name='ldap.password' and directory_id=<id>;
   • ex: update cwd_directory_attribute set attribute_value='myrealpassword' where attribute_name='ldap.password' and directory_id=123456;
6. Restart Crowd
7. You should now be able to login with the local Crowd admin user