Users without an userExpired attribute get removed when synchronising ActiveDirectory with the 'Filter out expired users' setting enabled

When using an ActiveDirectory directory and enabling the 'filter out expired users' checkbox users that are marked as expired should get filtered out, and not be present in the Crowd directory.

However, in some configurations AD might not return the userExpired attribute in LDAP queries. This will cause users who don't have the attribute to be inadvertently filtered out, and removed from Crowd.

Steps to Reproduce

• Setup Crowd and add AD user directory;
  • For the port, input 3268 for the Global Catalog;
  • Ensure Filter out expired users;
• Save and sync;

Expected behavior

Non-expired users are synchronized and appear in Crowd correctly.

Actual Behavior

Crowd filters out all users from that directory, so no users are displayed.

Investigation

(Reference: https://jira.atlassian.com/browse/JRASERVER-64099)

• When using INCREMENTAL sync with "Filter out expired users", Crowd's ldapsearch includes a check for accountExpires;
• accountExpires is not stored with Global Catalog (port 3268): https://msdn.microsoft.com/en-us/library/ms675098(v=vs.85).aspx;
• This causes the search to return no results, causing Crowd to believe no users exist;
   

Workaround

• Disable "Filter out expired users"; or
• Connect to port 389, instead of 3268;

In Crowd versions older than 2.12, this issue only impacts Incremental sync, so disabling incremental sync is a possible workaround for those versions.