Crowd Embedded is following referrals of the LDAP users even though the Follow Referrals flag is disabled.
Basically, this is the scenario: There are a few LDAP directories that are children of the LDAP atlassian.local (Parent LDAP). One of the children is the child.atlassian.local, which is the one I'll refer to as "Child LDAP" in the steps to replicate.
The problem is that a user from the Child LDAP is a member of a group from the Parent LDAP (cross-domain membership). Crowd (it happens with Confluence too, I tested using Confluence) is connected to the Child LDAP, so if the user making the bind connection does not have permissions to read/modify the group from the Parent LDAP, the user from the Child LDAP won't be able to log in due to this error:
- Have a Parent Domain and a Child Domain LDAP - Active Directory
- in my example, the Parent Domain is called atlassian.local and the Child Domain is called child.atlassian.local
- Create a user in the Child LDAP (child.atlassian.local) and a Universal Group in the Parent LDAP (atlassian.local)
- Set the proper permissions for the new group in the Parent LDAP so that the administrator of the Child LDAP can add a user in this group (cross-domain).
- To do it you need to go in the properties of the group in the Parent LDAP, select the Security tab and add the Administrator (or the user you're logged in with in the other Windows Server that has the Child LDAP) in the permissions, making sure to give this user all the permissions.
- Add the child user in the parent group.
- In my example: santos__camila (from child.atlassian.local) was added to grupocamis (from atlassian.local)
- Add the Child LDAP in Confluence and use the administrator account (or the one you've given permissions in the Parent group) as the Bind
- Disable the follow referrals and perform a sync
- You'll be able to log in with this user (make sure to map a proper group in the global permissions in connie)
- Change the user that is doing the Bind to another regular user, just like santos__camila. In my case I created another regular user called child1.
- Sync and try to log into Confluence with santos__camila.
- As the Bind user does not have the permission in the security tab of the group called grupocamis (my example) from the Parent LDAP (atlassian.local), you'll face an error code 50 data 0 due to insufficient permissions to read that group. In my case, I got a problem with the DNS, so this is the error for me:
See that because my bind user doesn't have the permission to read/modify this group in the Parent LDAP, the user will not be able to log in.
- The user with the cross-domain membership should be able to log into the application when Follow Referrals is disabled.
- The application tries to follow the membership in the other domain even though the follow referrals is disabled, which prevents the user with cross-domain membership to log in.
The below exception is thrown in the xxxxxxx.log file:
- Set your LDAP in Confluence/Crowd to use the Global Catalog port (3268).