-
Suggestion
-
Resolution: Low Engagement
-
None
-
2
-
1
-
Problem summary
In the process of setting up the new LDAP Connector directory, an administrator is very likely to save the directory before it is fully configured. This will inadvertently trigger a sync against LDAP using default attributes and filters, which are very broad. Given a large enough LDAP, this "accidental sync" has the potential to process for a very long time, consuming resources on the Crowd and database servers, and potentially impact all Crowd-related activity.
Steps to reproduce
The below is a common workflow in setting up a new LDAP Connector directory:
- First select a directory type (select Connector radio button) and hit the Next button.
- You will be taken to the "Details" tab in the next screen. Fill in the details and hit the blue "Continue" button:
- You will be taken to the "Connector" tab, and be shown an error, because not all required details have been filled in. Fill in all the details (base DN and bind credentials) and hit Continue at the bottom
- You will now be taken to the "Configuration" tab where you can further tune details such as user and group search filters. Fill these out and hit Continue once more
Expected behavior
The new directory is not actually added to the database until all tabs have been filled/reviewed by the administrator
Actual behavior
After hitting "Continue" on Step 3, despite the admin not yet having customized the "Configuration" tab, the directory has been committed to the database. A sync automatically starts shortly after, using the default attributes and search filters. These default filters are very broad and are likely to pull in ALL users and groups within the scope of the base DN set in Step 2.
Assuming this sync finishes, the following sync will take place using the actual intended filters configured in Step 4. If the intended filters are very restrictive, then Crowd will need to perform expensive database updates to "undo" all the changes from the first sync. This can take an even longer time than the first sync due to CWD-5098.
Additional notes
Crowd actually tries once to add the directory to the database after clicking Continue in Step 2, but is blocked due to not having required attributes. After Step 3, however, it has everything it needs to successfully add the directory due to the pre-populated attributes and filters.
Workaround
When setting up a new LDAP Connector, instead of using the "Continue" buttons, manually click on each tab (Details, Connector, Configuration, Permissions). Do not click Continue on any tab until ALL intended configurations are in place. As soon as Continue is clicked, Crowd will attempt to commit the directory to the database and start a sync if it is successful.
- mentioned in
-
Page Failed to load
Form Name |
---|
Hello,
Thank you for submitting this suggestion. We appreciate you taking the time to share your ideas for improving our products, as many features and functions come from valued customers such as yourself.
Atlassian is committed to enhancing the security and compliance of our Data Center products, with an emphasis on sustainable scalability and improving the product experience for both administrators and end-users. We periodically review older suggestions to ensure we're focusing on the most relevant feedback. This suggestion is being closed due to a lack of engagement in the last four years, including no new watchers, votes, or comments. This inactivity suggests a low impact. Therefore, this suggestion is not in consideration for our future roadmap.
Please note the comments on this thread are not being monitored.
You can read more about our approach to highly voted suggestions here and how we prioritize what to implement here.
To learn more about our recent investments in Crowd Data Center, please check our public roadmap.
Kind regards,
Crowd Data Center