Details
-
Bug
-
Status: Short Term Backlog (View Workflow)
-
Low
-
Resolution: Unresolved
-
2.7.1, 2.11.2
-
None
-
None
-
10
-
Severity 3 - Minor
-
0
-
Description
Summary
Crowd Embedded is following referrals of the LDAP users even though the Follow Referrals flag is disabled.
Basically, this is the scenario: There are a few LDAP directories that are children of the LDAP atlassian.local (Parent LDAP). One of the children is the child.atlassian.local, which is the one I'll refer to as "Child LDAP" in the steps to replicate.
The problem is that a user from the Child LDAP is a member of a group from the Parent LDAP (cross-domain membership). Crowd (it happens with Confluence too, I tested using Confluence) is connected to the Child LDAP, so if the user making the bind connection does not have permissions to read/modify the group from the Parent LDAP, the user from the Child LDAP won't be able to log in due to this error:
remaining name 'cn=myuser,cn=users,dc=example,dc=com'
com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Steps to Reproduce
- Have a Parent Domain and a Child Domain LDAP - Active Directory
- in my example, the Parent Domain is called atlassian.local and the Child Domain is called child.atlassian.local
- Create a user in the Child LDAP (child.atlassian.local) and a Universal Group in the Parent LDAP (atlassian.local)
- Set the proper permissions for the new group in the Parent LDAP so that the administrator of the Child LDAP can add a user in this group (cross-domain).
- To do it you need to go in the properties of the group in the Parent LDAP, select the Security tab and add the Administrator (or the user you're logged in with in the other Windows Server that has the Child LDAP) in the permissions, making sure to give this user all the permissions.
- Add the child user in the parent group.
- In my example: santos__camila (from child.atlassian.local) was added to grupocamis (from atlassian.local)
- Add the Child LDAP in Confluence and use the administrator account (or the one you've given permissions in the Parent group) as the Bind
- Disable the follow referrals and perform a sync
- You'll be able to log in with this user (make sure to map a proper group in the global permissions in connie)
- Change the user that is doing the Bind to another regular user, just like santos__camila. In my case I created another regular user called child1.
- Sync and try to log into Confluence with santos__camila.
As the Bind user does not have the permission in the security tab of the group called grupocamis (my example) from the Parent LDAP (atlassian.local), you'll face an error code 50 data 0 due to insufficient permissions to read that group. In my case, I got a problem with the DNS, so this is the error for me:
caused by: javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points ref 1: 'atlassian.local' ]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local' at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)
See that because my bind user doesn't have the permission to read/modify this group in the Parent LDAP, the user will not be able to log in.
Expected Results
- The user with the cross-domain membership should be able to log into the application when Follow Referrals is disabled.
Actual Results
- The application tries to follow the membership in the other domain even though the follow referrals is disabled, which prevents the user with cross-domain membership to log in.
The below exception is thrown in the xxxxxxx.log file:
2017-03-31 10:33:19,927 WARN [http-nio-8090-exec-9] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions: ->[com.atlassian.confluence.user.DefaultUserAccessor.authenticate]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #536002051) -- referer: http://quicksilver/confluence/login.action?os_destination=%2F | url: /confluence/dologin.action | traceId: 3afd578f0159fb78 2017-03-31 10:33:19,928 ERROR [http-nio-8090-exec-9] [[Standalone].[localhost].[/confluence].[action]] log Servlet.service() for servlet [action] in context with path [/confluence] threw exception org.springframework.ldap.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points ref 1: 'atlassian.local' ]; nested exception is javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points ref 1: 'atlassian.local' ]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local' at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:216) at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:820) at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:803) at org.springframework.ldap.core.LdapTemplate.lookup(LdapTemplate.java:935) at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$8.timedCall(SpringLdapTemplateWrapper.java:315) at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$TimedCallable.call(SpringLdapTemplateWrapper.java:146) at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.invokeWithContextClassLoader(SpringLdapTemplateWrapper.java:109) at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.lookup(SpringLdapTemplateWrapper.java:311) at com.atlassian.crowd.directory.RFC4519Directory$2.lookup(RFC4519Directory.java:581) at com.atlassian.crowd.directory.RFC4519Directory$2.lookup(RFC4519Directory.java:577) at com.atlassian.crowd.directory.RFC4519Directory.findGroupMembershipsOfUserViaMemberOf(RFC4519Directory.java:649) at com.atlassian.crowd.directory.RFC4519Directory.findGroupMembershipNamesOfUserViaMemberOf(RFC4519Directory.java:605) at com.atlassian.crowd.directory.RFC4519Directory.findGroupMembershipNames(RFC4519Directory.java:535) at com.atlassian.crowd.directory.MicrosoftActiveDirectory.findGroupMembershipNames(MicrosoftActiveDirectory.java:391)
Caused by: javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points ref 1: 'atlassian.local' ]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local' at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1329) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141) at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:152) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.ldap.transaction.compensating.manager.TransactionAwareDirContextInvocationHandler.invoke(TransactionAwareDirContextInvocationHandler.java:90) at com.sun.proxy.$Proxy2567.getAttributes(Unknown Source) at org.springframework.ldap.core.LdapTemplate$17.executeWithContext(LdapTemplate.java:937) at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:817) ... 207 more 2017-03-31 10:33:19,929 INFO [http-nio-8090-exec-9] [atlassian.confluence.status.SystemErrorInformationLogger] writeToLog Request Unique ID : 1352c513-fa9a-4f5a-81ff-5a958953d111 -------------------------- JVM Stats -------------------------- usedMemory = 575990048 usedMemoryInMegabytes = 549 availableHeap = 497751776 freeMemoryInMegabytes = 474 allocatedHeap = 1073741824 freeAllocatedHeap = 497751776 totalMemory = 1073741824 totalMemoryInMegabytes = 1024 availablePermGen = 0 maxPermGen = -1 maxHeap = 1073741824 usedHeap = 575990048 freeMemory = 497751776 usedPermGen = -1 -------------------------- Request Information -------------------------- URL: http://quicksilver/confluence/500page.jsp Scheme: http Server: quicksilver Port: 80 URI: /confluence/500page.jsp Context Path: /confluence Servlet Path: /500page.jsp Path Info: null Query String: null -------------------------- Attributes -------------------------- javax.servlet.forward.request_uri: /confluence/dologin.action javax.servlet.forward.context_path: /confluence javax.servlet.forward.servlet_path: /dologin.action com.atlassian.confluence.login.direct: true javax.servlet.error.status_code: 500 com.atlassian.confluence.impl.profiling.DecoratorTimings: com.atlassian.confluence.impl.profiling.DecoratorTimings@2292127 com.opensymphony.sitemesh.APPLIED_ONCE: true __cleanup_recursion_counter: 0 javax.servlet.error.message: javax.servlet.error.servlet_name: action com.atlassian.confluence.web.filter.validateparam.RequestParamValidationFilter_already_filtered: true atlassian.core.seraph.original.url: /500page.jsp com.atlassian.gzipfilter.GzipFilter_already_filtered: true Confluence-Request-Time: 1490967199902 loginfilter.already.filtered: true javax.servlet.error.request_uri: /confluence/dologin.action com.atlassian.core.filters.HeaderSanitisingFilter_already_filtered: true com.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFixupFilter: true com.atlassian.confluence.web.ConfluenceJohnsonFilter_already_filtered: true javax.servlet.error.exception: org.springframework.ldap.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points ref 1: 'atlassian.local' ]; nested exception is javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points ref 1: 'atlassian.local' ]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local' os_securityfilter_already_filtered: true com.atlassian.prettyurls.filter.PrettyUrlsSiteMeshFilter: true -------------------------- Parameters -------------------------- os_username : santos__camila login : Log in os_destination : / caused by: org.springframework.ldap.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points ref 1: 'atlassian.local' ]; nested exception is javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points ref 1: 'atlassian.local' ]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local' at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:216) caused by: javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100781, data 0, 1 access points ref 1: 'atlassian.local' ]; remaining name 'cn=grupocamis,cn=users,dc=atlassian,dc=local' at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2971)
Workaround
- Set your LDAP in Confluence/Crowd to use the Global Catalog port (3268).
warning
Using the Global Catalog for the sync might cause issues in case some attributes are not replicated into the Global Catalog in your LDAP server.
One example is the accountExpires attributes that, combined with "Filter out expired users" parameter in Crowd is known to cause undesired user removal as mentioned in CWD-4954: Users without an userExpired attribute get removed when synchronising ActiveDirectory with the 'Filter out expired users' setting enabled (fixed in Crowd3.0.2, 3.1.1).
