Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-4889

Crowd Embedded Performs a Lookup to a Cross Domain DN when Follow Referrals is Disabled

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Low Low
    • None
    • 2.7.1, 2.11.2
    • Directory - LDAP
    • None

      Summary

      Crowd Embedded is following referrals of the LDAP users even though the Follow Referrals flag is disabled.

      Basically, this is the scenario: There are a few LDAP directories that are children of the LDAP atlassian.local (Parent LDAP). One of the children is the child.atlassian.local, which is the one I'll refer to as "Child LDAP" in the steps to replicate.

      The problem is that a user from the Child LDAP is a member of a group from the Parent LDAP (cross-domain membership). Crowd (it happens with Confluence too, I tested using Confluence) is connected to the Child LDAP, so if the user making the bind connection does not have permissions to read/modify the group from the Parent LDAP, the user from the Child LDAP won't be able to log in due to this error:

      remaining name 'cn=myuser,cn=users,dc=example,dc=com'
com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

      Steps to Reproduce

      1. Have a Parent Domain and a Child Domain LDAP - Active Directory
        • in my example, the Parent Domain is called atlassian.local and the Child Domain is called child.atlassian.local
      2. Create a user in the Child LDAP (child.atlassian.local) and a Universal Group in the Parent LDAP (atlassian.local)
      3. Set the proper permissions for the new group in the Parent LDAP so that the administrator of the Child LDAP can add a user in this group (cross-domain).
        • To do it you need to go in the properties of the group in the Parent LDAP, select the Security tab and add the Administrator (or the user you're logged in with in the other Windows Server that has the Child LDAP) in the permissions, making sure to give this user all the permissions.
      4. Add the child user in the parent group.
        • In my example: santos__camila (from child.atlassian.local) was added to grupocamis (from atlassian.local)
      5. Add the Child LDAP in Confluence and use the administrator account (or the one you've given permissions in the Parent group) as the Bind
        1. Disable the follow referrals and perform a sync
        2. You'll be able to log in with this user (make sure to map a proper group in the global permissions in connie)
      6. Change the user that is doing the Bind to another regular user, just like santos__camila. In my case I created another regular user called child1.
      7. Sync and try to log into Confluence with santos__camila.
        • As the Bind user does not have the permission in the security tab of the group called grupocamis (my example) from the Parent LDAP (atlassian.local), you'll face an error code 50 data 0 due to insufficient permissions to read that group. In my case, I got a problem with the DNS, so this is the error for me: 
          caused by: javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
    ref 1: 'atlassian.local'
]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)

      See that because my bind user doesn't have the permission to read/modify this group in the Parent LDAP, the user will not be able to log in.

      Expected Results

      • The user with the cross-domain membership should be able to log into the application when Follow Referrals is disabled.

      Actual Results

      • The application tries to follow the membership in the other domain even though the follow referrals is disabled, which prevents the user with cross-domain membership to log in.

      The below exception is thrown in the xxxxxxx.log file:

      2017-03-31 10:33:19,927 WARN [http-nio-8090-exec-9] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:
  ->[com.atlassian.confluence.user.DefaultUserAccessor.authenticate]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #536002051)
 -- referer: http://quicksilver/confluence/login.action?os_destination=%2F | url: /confluence/dologin.action | traceId: 3afd578f0159fb78
2017-03-31 10:33:19,928 ERROR [http-nio-8090-exec-9] [[Standalone].[localhost].[/confluence].[action]] log Servlet.service() for servlet [action] in context with path [/confluence] threw exception
org.springframework.ldap.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
  ref 1: 'atlassian.local'
]; nested exception is javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
  ref 1: 'atlassian.local'
]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local'
  at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:216)
  at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:820)
  at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:803)
  at org.springframework.ldap.core.LdapTemplate.lookup(LdapTemplate.java:935)
  at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$8.timedCall(SpringLdapTemplateWrapper.java:315)
  at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$TimedCallable.call(SpringLdapTemplateWrapper.java:146)
  at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.invokeWithContextClassLoader(SpringLdapTemplateWrapper.java:109)
  at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.lookup(SpringLdapTemplateWrapper.java:311)
  at com.atlassian.crowd.directory.RFC4519Directory$2.lookup(RFC4519Directory.java:581)
  at com.atlassian.crowd.directory.RFC4519Directory$2.lookup(RFC4519Directory.java:577)
  at com.atlassian.crowd.directory.RFC4519Directory.findGroupMembershipsOfUserViaMemberOf(RFC4519Directory.java:649)
  at com.atlassian.crowd.directory.RFC4519Directory.findGroupMembershipNamesOfUserViaMemberOf(RFC4519Directory.java:605)
  at com.atlassian.crowd.directory.RFC4519Directory.findGroupMembershipNames(RFC4519Directory.java:535)
  at com.atlassian.crowd.directory.MicrosoftActiveDirectory.findGroupMembershipNames(MicrosoftActiveDirectory.java:391)

      Caused by: javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
  ref 1: 'atlassian.local'
]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local'
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
  at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1329)
  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141)
  at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:152)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:498)
  at org.springframework.ldap.transaction.compensating.manager.TransactionAwareDirContextInvocationHandler.invoke(TransactionAwareDirContextInvocationHandler.java:90)
  at com.sun.proxy.$Proxy2567.getAttributes(Unknown Source)
  at org.springframework.ldap.core.LdapTemplate$17.executeWithContext(LdapTemplate.java:937)
  at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:817)
  ... 207 more
2017-03-31 10:33:19,929 INFO [http-nio-8090-exec-9] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog 
Request Unique ID : 1352c513-fa9a-4f5a-81ff-5a958953d111
--------------------------
JVM Stats
--------------------------
usedMemory = 575990048
usedMemoryInMegabytes = 549
availableHeap = 497751776
freeMemoryInMegabytes = 474
allocatedHeap = 1073741824
freeAllocatedHeap = 497751776
totalMemory = 1073741824
totalMemoryInMegabytes = 1024
availablePermGen = 0
maxPermGen = -1
maxHeap = 1073741824
usedHeap = 575990048
freeMemory = 497751776
usedPermGen = -1
--------------------------
Request Information
--------------------------
URL: http://quicksilver/confluence/500page.jsp
Scheme: http
Server: quicksilver
Port: 80
URI: /confluence/500page.jsp
Context Path: /confluence
Servlet Path: /500page.jsp
Path Info: null
Query String: null
--------------------------
Attributes
--------------------------
javax.servlet.forward.request_uri: /confluence/dologin.action
javax.servlet.forward.context_path: /confluence
javax.servlet.forward.servlet_path: /dologin.action
com.atlassian.confluence.login.direct: true
javax.servlet.error.status_code: 500
com.atlassian.confluence.impl.profiling.DecoratorTimings: com.atlassian.confluence.impl.profiling.DecoratorTimings@2292127
com.opensymphony.sitemesh.APPLIED_ONCE: true
__cleanup_recursion_counter: 0
javax.servlet.error.message: 
javax.servlet.error.servlet_name: action
com.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true
atlassian.core.seraph.original.url: /500page.jsp
com.atlassian.gzipfilter.GzipFilter_already_filtered: true
Confluence-Request-Time: 1490967199902
loginfilter.already.filtered: true
javax.servlet.error.request_uri: /confluence/dologin.action
com.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true
com.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true
com.atlassian.confluence.web.ConfluenceJohnsonFilter_already_filtered: true
javax.servlet.error.exception: org.springframework.ldap.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
  ref 1: 'atlassian.local'
]; nested exception is javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
  ref 1: 'atlassian.local'
]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local'
os_securityfilter_already_filtered: true
com.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true
--------------------------
Parameters
--------------------------
os_username : santos__camila
login : Log in
os_destination : /
caused by: org.springframework.ldap.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
  ref 1: 'atlassian.local'
]; nested exception is javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
  ref 1: 'atlassian.local'
]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local'
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:216)
caused by: javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
  ref 1: 'atlassian.local'
]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)

      Workaround

      • Set your LDAP in Confluence/Crowd to use the Global Catalog port (3268).

      warning

      Using the Global Catalog for the sync might cause issues in case some attributes are not replicated into the Global Catalog in your LDAP server.

      One example is the accountExpires attributes that, combined with "Filter out expired users" parameter in Crowd is known to cause undesired user removal as mentioned in CWD-4954: Users without an userExpired attribute get removed when synchronising ActiveDirectory with the 'Filter out expired users' setting enabled (fixed in Crowd3.0.2, 3.1.1).

            [CWD-4889] Crowd Embedded Performs a Lookup to a Cross Domain DN when Follow Referrals is Disabled

            SET Analytics Bot made changes -
            UIS Original: 1 New: 0
            Steve Shaw made changes -
            Remote Link Original: This issue links to "KRAK-509 (JIRA Server (Bulldog))" [ 278775 ] New: This issue links to "KRAK-2374 (JIRA Server (Bulldog))" [ 278775 ]
            SET Analytics Bot made changes -
            UIS Original: 0 New: 1
            SET Analytics Bot made changes -
            Support reference count Original: 9 New: 10
            SET Analytics Bot made changes -
            Support reference count Original: 8 New: 9
            SET Analytics Bot made changes -
            UIS Original: 5 New: 0
            SET Analytics Bot made changes -
            UIS Original: 0 New: 5
            SET Analytics Bot made changes -
            UIS Original: 1 New: 0
            Bugfix Automation Bot made changes -
            Support reference count Original: 7 New: 8
            Bugfix Automation Bot made changes -
            Support reference count Original: 8 New: 7

              Unassigned Unassigned
              emallmann Eduardo Mallmann (Inactive)
              Affected customers:
              3 This affects my team
              Watchers:
              13 Start watching this issue

                Created:
                Updated: