Custom external id attribute in MS AD is not handled properly

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Low
    • 4.4.1, 5.0.0
    • Affects Version/s: 4.0.5, 4.1.10, 4.3.5, 4.2.5, 4.4.0
    • Component/s: Directory - LDAP
    • None
    • 1
    • Severity 3 - Minor

      Issue Summary

      This affects both Embedded Crowd and Crowd. It relates to using an external id set to a different value than the default 'objectGUID'.

      I found two scenarios in which the issue can occur:

      A) The incremental sync fails with the error (found in Jira 7.13.4)

      2021-12-07 13:19:21,189+0200 Caesium-1-1 ERROR ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] Incremental synchronisation for directory [ 11800 ] was unexpectedly interrupted, falling back to a full synchronisation
java.lang.IllegalArgumentException: guid should be of length 32 (as encoded by getGUIDAsString)
at com.google.common.base.Preconditions.checkArgument(Preconditions.java:141)
at com.atlassian.crowd.directory.ldap.util.GuidHelper.encodeGUIDForSearch(GuidHelper.java:73)
at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.encodeValue(EqualsExternalIdFilter.java:25)
at org.springframework.ldap.filter.CompareFilter.<init>(CompareFilter.java:36)
at org.springframework.ldap.filter.EqualsFilter.<init>(EqualsFilter.java:40)
at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.<init>(EqualsExternalIdFilter.java:13)
at com.atlassian.crowd.search.ldap.ActiveDirectoryQueryTranslaterImpl.getStringTermEqualityFilter(ActiveDirectoryQueryTranslaterImpl.java:66)

      I could not reproduce it locally (it might fail, but in specific conditions that I am not aware of). For sure this is strictly related to MS AD configuration in which custom external ID is used.

      The static code analysis for this led me to the second scenario the issue occurs. I described it in "Steps to Reproduce" section.

      Steps to Reproduce

      1. Setup MS AD in Crowd (or in Embedded Crowd)
      2. Configure custom external id (e.g. mail)
      3. Disable directory cache
      4. Create an application and assign MS AD dir to it
      5. Call the endpoint `<crowdUrl>/rest/usermanagement/1/user?key=<dir_id>:<custom_external_id_value>` using application credentials set in the previous step to authenticate

      Expected Results

      Any GUID validation should not be performed when custom external id is set - in other words, the GUID validation should not be performed when external id is mapped from a different attribute than ‘objectGUID’.

      Actual Results

      Http response

      {
   "reason": "ILLEGAL_ARGUMENT",
   "message": "guid should be of length 32 (as encoded by getGUIDAsString)"
}

      Workaround

      Currently, there is no known workaround for this behavior. A workaround will be added here when available

            Assignee:
            Daniel Serkowski
            Reporter:
            Daniel Serkowski
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: