-
Bug
-
Resolution: Invalid
-
Medium
-
None
-
2.11.2, 2.12.0, 3.1.2
-
None
-
Severity 2 - Major
-
Steps to reproduce the issue
- Create a delegated user directory connected to an Active Directory and set it to add to the group confluence-user automatically.
- Assigned the new user directory to an Application (Confluence for example)
- Create a new Crowd user directory on Confluence with "Read and Write" LDAP Permission.
- Login with the user "admin" that existed on Active Directory on Confluence.
- Rename the user "admin" on Active directory with username "admin1"
- Logout on Confluence then login again with the new username "admin1"
- Then Logout and login on Confluence again
Expected behavior
The user should be able to login correctly.
Actual behavior
The user login failed with the following error message:
2018-02-19 21:05:36,688 http-nio-8095-exec-20 ERROR [crowd.manager.application.ApplicationServiceGeneric] Directory 'Local LDAP delegating (360449)' is not functional during authentication of 'admin1'. Skipped. 2018-02-19 21:06:01,810 http-nio-8095-exec-21 ERROR [common.error.jersey.ThrowableExceptionMapper] Uncaught exception thrown by REST service: query did not return a unique result: 2 org.hibernate.NonUniqueResultException: query did not return a unique result: 2 at org.hibernate.query.internal.AbstractProducedQuery.uniqueElement(AbstractProducedQuery.java:1487) at org.hibernate.internal.CriteriaImpl.uniqueResult(CriteriaImpl.java:388) at com.atlassian.crowd.dao.user.UserDAOHibernate.findByExternalId(UserDAOHibernate.java:190) at com.atlassian.crowd.dao.user.UserDAOHibernate.findByExternalId(UserDAOHibernate.java:57) at com.atlassian.crowd.directory.AbstractInternalDirectory.findUserByExternalId(AbstractInternalDirectory.java:175) at com.atlassian.crowd.directory.DelegatedAuthenticationDirectory.findLocalUserByExternalId(DelegatedAuthenticationDirectory.java:296) at com.atlassian.crowd.directory.DelegatedAuthenticationDirectory.updateUserFromRemoteDirectory(DelegatedAuthenticationDirectory.java:199) at com.atlassian.crowd.directory.DelegatedAuthenticationDirectory.authenticateAndUpdateOrCreate(DelegatedAuthenticationDirectory.java:184) at com.atlassian.crowd.directory.DelegatedAuthenticationDirectory.authenticate(DelegatedAuthenticationDirectory.java:152) at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:285) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
Diagnostic:
- There were 2 users with the different username and the same external_id were created on the Crowd, which can be identified by the following query:
select * from cwd_user where external_id in (select external_id from cwd_user group by external_id having count(external_id) >1);
- When Confluence is performing the user directory synchronization, the user will be bounced between 2 users account after each synchronization.
- This particular issue is reproduced with Active Directory only.
Workaround solution
We can remove the newly created user via the Crowd UI and rename the old user to the new username.