Uploaded image for project: 'Crowd'
  1. Crowd
  2. CWD-4889

Crowd Embedded Performs a Lookup to a Cross Domain DN when Follow Referrals is Disabled

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Short Term Backlog (View Workflow)
    • Priority: Low
    • Resolution: Unresolved
    • Affects Version/s: 2.7.1, 2.11.2
    • Fix Version/s: None
    • Component/s: Directory - LDAP
    • Labels:
      None

      Description

      Summary

      Crowd Embedded is following referrals of the LDAP users even though the Follow Referrals flag is disabled.

      Basically, this is the scenario: There are a few LDAP directories that are children of the LDAP atlassian.local (Parent LDAP). One of the children is the child.atlassian.local, which is the one I'll refer to as "Child LDAP" in the steps to replicate.

      The problem is that a user from the Child LDAP is a member of a group from the Parent LDAP (cross-domain membership). Crowd (it happens with Confluence too, I tested using Confluence) is connected to the Child LDAP, so if the user making the bind connection does not have permissions to read/modify the group from the Parent LDAP, the user from the Child LDAP won't be able to log in due to this error:

      remaining name 'cn=myuser,cn=users,dc=example,dc=com'
      com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
      

      Steps to Reproduce

      1. Have a Parent Domain and a Child Domain LDAP - Active Directory
        • in my example, the Parent Domain is called atlassian.local and the Child Domain is called child.atlassian.local
      2. Create a user in the Child LDAP (child.atlassian.local) and a Universal Group in the Parent LDAP (atlassian.local)
      3. Set the proper permissions for the new group in the Parent LDAP so that the administrator of the Child LDAP can add a user in this group (cross-domain).
        • To do it you need to go in the properties of the group in the Parent LDAP, select the Security tab and add the Administrator (or the user you're logged in with in the other Windows Server that has the Child LDAP) in the permissions, making sure to give this user all the permissions.
      4. Add the child user in the parent group.
        • In my example: santos__camila (from child.atlassian.local) was added to grupocamis (from atlassian.local)
      5. Add the Child LDAP in Confluence and use the administrator account (or the one you've given permissions in the Parent group) as the Bind
        1. Disable the follow referrals and perform a sync
        2. You'll be able to log in with this user (make sure to map a proper group in the global permissions in connie)
      6. Change the user that is doing the Bind to another regular user, just like santos__camila. In my case I created another regular user called child1.
      7. Sync and try to log into Confluence with santos__camila.
        • As the Bind user does not have the permission in the security tab of the group called grupocamis (my example) from the Parent LDAP (atlassian.local), you'll face an error code 50 data 0 due to insufficient permissions to read that group. In my case, I got a problem with the DNS, so this is the error for me:
          caused by: javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
              ref 1: 'atlassian.local'
          ]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local'
          at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)
          

      See that because my bind user doesn't have the permission to read/modify this group in the Parent LDAP, the user will not be able to log in.

      Expected Results

      • The user with the cross-domain membership should be able to log into the application when Follow Referrals is disabled.

      Actual Results

      • The application tries to follow the membership in the other domain even though the follow referrals is disabled, which prevents the user with cross-domain membership to log in.

      The below exception is thrown in the xxxxxxx.log file:

      2017-03-31 10:33:19,927 WARN [http-nio-8090-exec-9] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions:
        ->[com.atlassian.confluence.user.DefaultUserAccessor.authenticate]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #536002051)
       -- referer: http://quicksilver/confluence/login.action?os_destination=%2F | url: /confluence/dologin.action | traceId: 3afd578f0159fb78
      2017-03-31 10:33:19,928 ERROR [http-nio-8090-exec-9] [[Standalone].[localhost].[/confluence].[action]] log Servlet.service() for servlet [action] in context with path [/confluence] threw exception
      org.springframework.ldap.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
        ref 1: 'atlassian.local'
      ]; nested exception is javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
        ref 1: 'atlassian.local'
      ]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local'
        at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:216)
        at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:820)
        at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:803)
        at org.springframework.ldap.core.LdapTemplate.lookup(LdapTemplate.java:935)
        at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$8.timedCall(SpringLdapTemplateWrapper.java:315)
        at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$TimedCallable.call(SpringLdapTemplateWrapper.java:146)
        at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.invokeWithContextClassLoader(SpringLdapTemplateWrapper.java:109)
        at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.lookup(SpringLdapTemplateWrapper.java:311)
        at com.atlassian.crowd.directory.RFC4519Directory$2.lookup(RFC4519Directory.java:581)
        at com.atlassian.crowd.directory.RFC4519Directory$2.lookup(RFC4519Directory.java:577)
        at com.atlassian.crowd.directory.RFC4519Directory.findGroupMembershipsOfUserViaMemberOf(RFC4519Directory.java:649)
        at com.atlassian.crowd.directory.RFC4519Directory.findGroupMembershipNamesOfUserViaMemberOf(RFC4519Directory.java:605)
        at com.atlassian.crowd.directory.RFC4519Directory.findGroupMembershipNames(RFC4519Directory.java:535)
        at com.atlassian.crowd.directory.MicrosoftActiveDirectory.findGroupMembershipNames(MicrosoftActiveDirectory.java:391)
      
      Caused by: javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
        ref 1: 'atlassian.local'
      ]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local'
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
        at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1329)
        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235)
        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141)
        at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:152)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.springframework.ldap.transaction.compensating.manager.TransactionAwareDirContextInvocationHandler.invoke(TransactionAwareDirContextInvocationHandler.java:90)
        at com.sun.proxy.$Proxy2567.getAttributes(Unknown Source)
        at org.springframework.ldap.core.LdapTemplate$17.executeWithContext(LdapTemplate.java:937)
        at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:817)
        ... 207 more
      2017-03-31 10:33:19,929 INFO [http-nio-8090-exec-9] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog 
      Request Unique ID : 1352c513-fa9a-4f5a-81ff-5a958953d111
      --------------------------
      JVM Stats
      --------------------------
      usedMemory = 575990048
      usedMemoryInMegabytes = 549
      availableHeap = 497751776
      freeMemoryInMegabytes = 474
      allocatedHeap = 1073741824
      freeAllocatedHeap = 497751776
      totalMemory = 1073741824
      totalMemoryInMegabytes = 1024
      availablePermGen = 0
      maxPermGen = -1
      maxHeap = 1073741824
      usedHeap = 575990048
      freeMemory = 497751776
      usedPermGen = -1
      --------------------------
      Request Information
      --------------------------
      URL: http://quicksilver/confluence/500page.jsp
      Scheme: http
      Server: quicksilver
      Port: 80
      URI: /confluence/500page.jsp
      Context Path: /confluence
      Servlet Path: /500page.jsp
      Path Info: null
      Query String: null
      --------------------------
      Attributes
      --------------------------
      javax.servlet.forward.request_uri: /confluence/dologin.action
      javax.servlet.forward.context_path: /confluence
      javax.servlet.forward.servlet_path: /dologin.action
      com.atlassian.confluence.login.direct: true
      javax.servlet.error.status_code: 500
      com.atlassian.confluence.impl.profiling.DecoratorTimings: com.atlassian.confluence.impl.profiling.DecoratorTimings@2292127
      com.opensymphony.sitemesh.APPLIED_ONCE: true
      __cleanup_recursion_counter: 0
      javax.servlet.error.message: 
      javax.servlet.error.servlet_name: action
      com.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true
      atlassian.core.seraph.original.url: /500page.jsp
      com.atlassian.gzipfilter.GzipFilter_already_filtered: true
      Confluence-Request-Time: 1490967199902
      loginfilter.already.filtered: true
      javax.servlet.error.request_uri: /confluence/dologin.action
      com.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true
      com.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true
      com.atlassian.confluence.web.ConfluenceJohnsonFilter_already_filtered: true
      javax.servlet.error.exception: org.springframework.ldap.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
        ref 1: 'atlassian.local'
      ]; nested exception is javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
        ref 1: 'atlassian.local'
      ]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local'
      os_securityfilter_already_filtered: true
      com.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true
      --------------------------
      Parameters
      --------------------------
      os_username : santos__camila
      login : Log in
      os_destination : /
      caused by: org.springframework.ldap.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
        ref 1: 'atlassian.local'
      ]; nested exception is javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
        ref 1: 'atlassian.local'
      ]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local'
      at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:216)
      caused by: javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points
        ref 1: 'atlassian.local'
      ]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local'
      at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)
      

      Workaround

      • Set your LDAP in Confluence/Crowd to use the Global Catalog port (3268).

      warning


      Using the Global Catalog for the sync might cause issues in case some attributes are not replicated into the Global Catalog in your LDAP server.

      One example is the accountExpires attributes that, combined with "Filter out expired users" parameter in Crowd is known to cause undesired user removal as mentioned in CWD-4954: Users without an userExpired attribute get removed when synchronising ActiveDirectory with the 'Filter out expired users' setting enabled (fixed in Crowd3.0.2, 3.1.1).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              emallmann Eduardo Mallmann (Inactive)
              Votes:
              3 Vote for this issue
              Watchers:
              11 Start watching this issue

                Dates

                Created:
                Updated: