Uploaded image for project: 'Crowd'
  1. Crowd
  2. CWD-5502

Synchronization fails if there exists any user member in LDAP with invalid name format

    XMLWordPrintable

    Details

    • Type: Suggestion
    • Status: Gathering Interest (View Workflow)
    • Resolution: Unresolved
    • Fix Version/s: None
    • Component/s: Directory - LDAP
    • Labels:
      None
    • Feedback Policy:

      Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Description

      Issue Summary

      Synchronising an external user directory (connector, such as LDAP) fails completely during the group membership step, if there are usernames of format uniqueMember: username in the group.  

      Steps to Reproduce

      1. Connect a user directory (LDAP) in Bitbucket Server
      2. An LDIF of a group (that will fail) looks like (Note uniqueMember:johndoe)
        group1, group, doman
        dn: cn=group1,ou=groups,dc=xxx,dc=xx
        uniqueMember: johndoe
        uniqueMember: uid=janedoe,ou=people,dc=xxx,dc=xxxx
        .......
        objectClass: top
        objectClass: groupOfUniqueNames
        cn: group1
        
      1. Click Synchronize

      Expected Results

      • Synchronization to be proceed, skipping invalid users names
      • Group membership synchronization for that group to be skipped
      • Sync process to continue synch'ing other groups

      Actual Results

      The directory fails to synchronise.

      The below exception is thrown in the atlassian-bitbucket.log file with debug enabled on Crowd class: com.atlassian.crowd. The group with the malformed names is the last listed before the error.

       DEBUG [Caesium-1-1]  c.a.c.d.l.monitoring.TimedSupplier Timed call for lookup with mapper on cn=group1,ou=groups,dc=xxxx,dc=xx took 3ms
       INFO  [Caesium-1-1]  c.a.c.d.DbCachingRemoteDirectory failed synchronisation complete for directory [ x ] in [ x ms ]
       DEBUG [Caesium-1-1]  c.a.s.i.crowd.HibernateDirectoryDao Updating object: com.atlassian.crowd.model.directory.DirectoryImpl@6b8e0580[lowerName=ldap server,description=<null>,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.OpenLDAP,allowedOperations=[DELETE_GROUP, CREATE_GROUP, UPDATE_GROUP, UPDATE_GROUP_ATTRIBUTE, UPDATE_USER_ATTRIBUTE],attributes={ldap.basedn=DC=xxx,DC=xx, ldap.user.filter=(&(objectClass=posixAccount)), ldap.user.username=uid, ldap.usermembership.use=false, com.atlassian.crowd.directory.sync.lastdurationms=22784, autoAddGroups=stash-users, crowd.sync.incremental.enabled=true, ldap.group.usernames=uniqueMember, ldap.pagedresults.size=1000, ldap.read.timeout=120000, crowd.sync.group.membership.after.successful.user.auth.enabled=only_when_first_created, ldap.connection.timeout=10000, ldap.group.filter=(&(objectclass=groupOfUniqueNames)), ldap.roles.disabled=true, ldap.external.id=uid, ldap.url=xxxxx, ldap.usermembership.use.for.groups=false, ldap.pagedresults=false, ldap.user.password=userPassword, ldap.user.lastname=sn, ldap.group.name=cn, ldap.user.objectclass=posixAccount, directory.cache.synchronise.interval=3600, ldap.nestedgroups.disabled=false, ldap.secure=true, ldap.referral=false, ldap.user.username.rdn=cn, com.atlassian.crowd.directory.sync.issynchronising=false, ldap.propogate.changes=false, ldap.group.dn=ou=groups, ldap.pool.timeout=0, ldap.user.displayname=uid, ldap.relaxed.dn.standardisation=true, ldap.user.firstname=givenName, com.atlassian.crowd.directory.sync.laststartsynctime=1574246377919, ldap.user.email=mail, ldap.user.group=uid, localUserStatusEnabled=false, ldap.user.encryption=sha, ldap.local.groups=true, ldap.group.description=description, ldap.user.dn=OU=People, ldap.group.objectclass=groupOfUniqueNames, ldap.filter.expiredUsers=false, ldap.search.timelimit=60000}]
      2019-11-20 11:40:00,713 ERROR [Caesium-1-1]  c.a.c.d.DbCachingDirectoryPoller Error occurred while refreshing the cache for directory [ x ].
      java.lang.RuntimeException: javax.naming.InvalidNameException: Invalid name: johndoe
      	at com.atlassian.crowd.directory.RFC4519Directory$3.apply(RFC4519Directory.java:837)
      ...
      Caused by: javax.naming.InvalidNameException: Invalid name: johndoe
      	at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:111)
      	at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:70)
      	at javax.naming.ldap.LdapName.parse(LdapName.java:785)
      	at javax.naming.ldap.LdapName.<init>(LdapName.java:123)
      	at com.atlassian.crowd.directory.RFC4519Directory$3.apply(RFC4519Directory.java:835)
      	... 38 common frames omitted
      

      Workaround

      1. Remove the users with the misformatted names (jdoe, instead of uid=jdoe,ou=people,o=domain) in LDAP
      2. Try to sync again.
        Check if it fails again:
        ERROR [Caesium-1-1] [atlassian.crowd.directory.DbCachingDirectoryPoller] pollChanges Error occurred while refreshing the cache for directory [ 111111 ].
        

        And if another group is listed right before that error:

        [crowd.directory.ldap.SpringLdapTemplateWrapper] call Timed call for lookup with mapper on cn=group2,ou=groups,o=domain took 34ms
        

        Then fix it the same way on the LDAP server (removing the malformatted usernames)

      You can check all the groups with malformatted usernames more quickly by excluding each group in the group user filter with (!(cn=group1))

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              gagarwal@atlassian.com Gaurav Agarwal (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated: