Uploaded image for project: 'Crowd'
  1. Crowd
  2. CWD-4954

Users without an userExpired attribute get removed when synchronising ActiveDirectory with the 'Filter out expired users' setting enabled

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 2.11.1, 2.12.0, 3.0.1
    • Fix Version/s: 3.0.2, 3.1.1
    • Component/s: None
    • Labels:

      Description

      When using an ActiveDirectory directory and enabling the 'filter out expired users' checkbox users that are marked as expired should get filtered out, and not be present in the Crowd directory.

      However, in some configurations AD might not return the userExpired attribute in LDAP queries. This will cause users who don't have the attribute to be inadvertently filtered out, and removed from Crowd.

      Steps to Reproduce

      • Setup Crowd and add AD user directory;
        • For the port, input 3268 for the Global Catalog;
        • Ensure Filter out expired users;
      • Save and sync;

      Expected behavior

      Non-expired users are synchronized and appear in Crowd correctly.

      Actual Behavior

      Crowd filters out all users from that directory, so no users are displayed.

      Investigation

      (Reference: https://jira.atlassian.com/browse/JRASERVER-64099)

      • When using INCREMENTAL sync with "Filter out expired users", Crowd's ldapsearch includes a check for accountExpires;
      • accountExpires is not stored with Global Catalog (port 3268): https://msdn.microsoft.com/en-us/library/ms675098(v=vs.85).aspx;
      • This causes the search to return no results, causing Crowd to believe no users exist;
         

      Workaround

      • Disable "Filter out expired users"; or
      • Connect to port 389, instead of 3268;

      In Crowd versions older than 2.12, this issue only impacts Incremental sync, so disabling incremental sync is a possible workaround for those versions.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              lpater Lukasz Pater
              Votes:
              3 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: