Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-5757

Custom external id attribute in MS AD is not handled properly

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Low Low
    • 4.4.1, 5.0.0
    • 4.0.5, 4.1.10, 4.3.5, 4.2.5, 4.4.0
    • Directory - LDAP
    • None

      Issue Summary

      This affects both Embedded Crowd and Crowd. It relates to using an external id set to a different value than the default 'objectGUID'.

      I found two scenarios in which the issue can occur:

      A) The incremental sync fails with the error (found in Jira 7.13.4)

      2021-12-07 13:19:21,189+0200 Caesium-1-1 ERROR ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] Incremental synchronisation for directory [ 11800 ] was unexpectedly interrupted, falling back to a full synchronisation
java.lang.IllegalArgumentException: guid should be of length 32 (as encoded by getGUIDAsString)
at com.google.common.base.Preconditions.checkArgument(Preconditions.java:141)
at com.atlassian.crowd.directory.ldap.util.GuidHelper.encodeGUIDForSearch(GuidHelper.java:73)
at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.encodeValue(EqualsExternalIdFilter.java:25)
at org.springframework.ldap.filter.CompareFilter.<init>(CompareFilter.java:36)
at org.springframework.ldap.filter.EqualsFilter.<init>(EqualsFilter.java:40)
at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.<init>(EqualsExternalIdFilter.java:13)
at com.atlassian.crowd.search.ldap.ActiveDirectoryQueryTranslaterImpl.getStringTermEqualityFilter(ActiveDirectoryQueryTranslaterImpl.java:66)

      I could not reproduce it locally (it might fail, but in specific conditions that I am not aware of). For sure this is strictly related to MS AD configuration in which custom external ID is used.

      The static code analysis for this led me to the second scenario the issue occurs. I described it in "Steps to Reproduce" section.

      Steps to Reproduce

      1. Setup MS AD in Crowd (or in Embedded Crowd)
      2. Configure custom external id (e.g. mail)
      3. Disable directory cache
      4. Create an application and assign MS AD dir to it
      5. Call the endpoint `<crowdUrl>/rest/usermanagement/1/user?key=<dir_id>:<custom_external_id_value>` using application credentials set in the previous step to authenticate

      Expected Results

      Any GUID validation should not be performed when custom external id is set - in other words, the GUID validation should not be performed when external id is mapped from a different attribute than ‘objectGUID’.

      Actual Results

      Http response

      {
   "reason": "ILLEGAL_ARGUMENT",
   "message": "guid should be of length 32 (as encoded by getGUIDAsString)"
}

      Workaround

      Currently, there is no known workaround for this behavior. A workaround will be added here when available

            [CWD-5757] Custom external id attribute in MS AD is not handled properly

            Patryk made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Waiting for Release [ 12075 ] New: Closed [ 6 ]
            Daniel Serkowski made changes -
            Fix Version/s New: 5.0.0 [ 98897 ]
            Fix Version/s New: 4.4.1 [ 97911 ]
            Daniel Serkowski made changes -
            Status Original: In Progress [ 3 ] New: Waiting for Release [ 12075 ]
            Daniel Serkowski made changes -
            Description Original: h3. Issue Summary

            This affects both Embedded Crowd and Crowd. It relates to using an external id set to a different value than the default 'objectGUID'.

            I found two scenarios in which the issue can occur:

            A) The incremental sync fails with the error (found in Jira 7.13.4)
            {noformat}
            2021-12-07 13:19:21,189+0200 Caesium-1-1 ERROR ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] Incremental synchronisation for directory [ 11800 ] was unexpectedly interrupted, falling back to a full synchronisation
            java.lang.IllegalArgumentException: guid should be of length 32 (as encoded by getGUIDAsString)
            at com.google.common.base.Preconditions.checkArgument(Preconditions.java:141)
            at com.atlassian.crowd.directory.ldap.util.GuidHelper.encodeGUIDForSearch(GuidHelper.java:73)
            at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.encodeValue(EqualsExternalIdFilter.java:25)
            at org.springframework.ldap.filter.CompareFilter.<init>(CompareFilter.java:36)
            at org.springframework.ldap.filter.EqualsFilter.<init>(EqualsFilter.java:40)
            at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.<init>(EqualsExternalIdFilter.java:13)
            at com.atlassian.crowd.search.ldap.ActiveDirectoryQueryTranslaterImpl.getStringTermEqualityFilter(ActiveDirectoryQueryTranslaterImpl.java:66) {noformat}
            I could not reproduce it locally (it might fail, but in specific conditions that I am not aware of). For sure this is strictly related to MS AD configuration in which custom external ID is used.

            The static code analysis for this led me to the second scenario the issue occurs. I described it in "Steps to Reproduce" section.
            h3. Steps to Reproduce
             # Setup MS AD in Crowd (or in Embedded Crowd)
             # Configure custom external id (e.g. mail)
             # Disable directory cache
             # Call the endpoint `<{{{}crowdUrl>{}}}/rest/usermanagement/1/user?key=<dir_id>:<custom_external_id_value>`

            h3. Expected Results

            Any GUID validation should not be performed when custom external id is set - in other words, the GUID validation should not be performed when external id is mapped from a different attribute than ‘objectGUID’.
            h3. Actual Results

            Http response
            {noformat}
            {
               "reason": "ILLEGAL_ARGUMENT",
               "message": "guid should be of length 32 (as encoded by getGUIDAsString)"
            } {noformat}
            h3. Workaround

            Currently, there is no known workaround for this behavior. A workaround will be added here when available             		New: h3. Issue Summary

            This affects both Embedded Crowd and Crowd. It relates to using an external id set to a different value than the default 'objectGUID'.

            I found two scenarios in which the issue can occur:

            A) The incremental sync fails with the error (found in Jira 7.13.4)
            {noformat}
            2021-12-07 13:19:21,189+0200 Caesium-1-1 ERROR ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] Incremental synchronisation for directory [ 11800 ] was unexpectedly interrupted, falling back to a full synchronisation
            java.lang.IllegalArgumentException: guid should be of length 32 (as encoded by getGUIDAsString)
            at com.google.common.base.Preconditions.checkArgument(Preconditions.java:141)
            at com.atlassian.crowd.directory.ldap.util.GuidHelper.encodeGUIDForSearch(GuidHelper.java:73)
            at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.encodeValue(EqualsExternalIdFilter.java:25)
            at org.springframework.ldap.filter.CompareFilter.<init>(CompareFilter.java:36)
            at org.springframework.ldap.filter.EqualsFilter.<init>(EqualsFilter.java:40)
            at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.<init>(EqualsExternalIdFilter.java:13)
            at com.atlassian.crowd.search.ldap.ActiveDirectoryQueryTranslaterImpl.getStringTermEqualityFilter(ActiveDirectoryQueryTranslaterImpl.java:66) {noformat}
            I could not reproduce it locally (it might fail, but in specific conditions that I am not aware of). For sure this is strictly related to MS AD configuration in which custom external ID is used.

            The static code analysis for this led me to the second scenario the issue occurs. I described it in "Steps to Reproduce" section.
            h3. Steps to Reproduce
             # Setup MS AD in Crowd (or in Embedded Crowd)
             # Configure custom external id (e.g. mail)
             # Disable directory cache
             # Create an application and assign MS AD dir to it
             # Call the endpoint `<{{{}crowdUrl>{}}}/rest/usermanagement/1/user?key=<dir_id>:<custom_external_id_value>` using application credentials set in the previous step to authenticate

            h3. Expected Results

            Any GUID validation should not be performed when custom external id is set - in other words, the GUID validation should not be performed when external id is mapped from a different attribute than ‘objectGUID’.
            h3. Actual Results

            Http response
            {noformat}
            {
               "reason": "ILLEGAL_ARGUMENT",
               "message": "guid should be of length 32 (as encoded by getGUIDAsString)"
            } {noformat}
            h3. Workaround

            Currently, there is no known workaround for this behavior. A workaround will be added here when available
            Bugfix Automation Bot made changes -
            Support reference count New: 1
            Daniel Serkowski made changes -
            Remote Link New: This issue links to "KRAK-4577 (Current JIRA)" [ 605316 ]
            Daniel Serkowski made changes -
            Assignee New: Daniel Serkowski [ 07f034cb6f52 ]
            Daniel Serkowski made changes -
            Status Original: Needs Triage [ 10030 ] New: In Progress [ 3 ]
            Daniel Serkowski made changes -
            Description Original: h3. Issue Summary

            This affects both Embedded Crowd and Crowd. It relates to using external id set to a different value than default 'objectGUID'.

            I found two scenarios in which the issue can occur

            A) The incremental sync fails with the error (found in Jira 7.13.4)
            {noformat}
            2021-12-07 13:19:21,189+0200 Caesium-1-1 ERROR ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] Incremental synchronisation for directory [ 11800 ] was unexpectedly interrupted, falling back to a full synchronisation
            java.lang.IllegalArgumentException: guid should be of length 32 (as encoded by getGUIDAsString)
            at com.google.common.base.Preconditions.checkArgument(Preconditions.java:141)
            at com.atlassian.crowd.directory.ldap.util.GuidHelper.encodeGUIDForSearch(GuidHelper.java:73)
            at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.encodeValue(EqualsExternalIdFilter.java:25)
            at org.springframework.ldap.filter.CompareFilter.<init>(CompareFilter.java:36)
            at org.springframework.ldap.filter.EqualsFilter.<init>(EqualsFilter.java:40)
            at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.<init>(EqualsExternalIdFilter.java:13)
            at com.atlassian.crowd.search.ldap.ActiveDirectoryQueryTranslaterImpl.getStringTermEqualityFilter(ActiveDirectoryQueryTranslaterImpl.java:66) {noformat}
            I could not reproduce it locally (it might fail, but in specific conditions that I am not aware of). For sure this is strictly related to MS AD configuration in which custom external ID is used.

            The static code analysis for this led me to the second scenario the issue occurs. I described it in "Steps to Reproduce" section.
            h3. Steps to Reproduce
             # Setup MS AD in Crowd (or in Embedded Crowd)
             # Configure custom external id (e.g. mail)
             # Disable directory cache
             # Call the endpoint `\{{crowdUrl}}/rest/usermanagement/1/user?key=<dir_id>:<custom_external_id_value>`

            h3. Expected Results

            Any GUID validation should not be performed when custom external id is set - in other words, the GUID validation should not be performed when external id is mapped from a different attribute than ‘objectGUID’.
            h3. Actual Results

            Http response
            {noformat}
            {
               "reason": "ILLEGAL_ARGUMENT",
               "message": "guid should be of length 32 (as encoded by getGUIDAsString)"
            } {noformat}
            h3. Workaround

            Currently, there is no known workaround for this behavior. A workaround will be added here when available             		New: h3. Issue Summary

            This affects both Embedded Crowd and Crowd. It relates to using an external id set to a different value than the default 'objectGUID'.

            I found two scenarios in which the issue can occur:

            A) The incremental sync fails with the error (found in Jira 7.13.4)
            {noformat}
            2021-12-07 13:19:21,189+0200 Caesium-1-1 ERROR ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] Incremental synchronisation for directory [ 11800 ] was unexpectedly interrupted, falling back to a full synchronisation
            java.lang.IllegalArgumentException: guid should be of length 32 (as encoded by getGUIDAsString)
            at com.google.common.base.Preconditions.checkArgument(Preconditions.java:141)
            at com.atlassian.crowd.directory.ldap.util.GuidHelper.encodeGUIDForSearch(GuidHelper.java:73)
            at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.encodeValue(EqualsExternalIdFilter.java:25)
            at org.springframework.ldap.filter.CompareFilter.<init>(CompareFilter.java:36)
            at org.springframework.ldap.filter.EqualsFilter.<init>(EqualsFilter.java:40)
            at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.<init>(EqualsExternalIdFilter.java:13)
            at com.atlassian.crowd.search.ldap.ActiveDirectoryQueryTranslaterImpl.getStringTermEqualityFilter(ActiveDirectoryQueryTranslaterImpl.java:66) {noformat}
            I could not reproduce it locally (it might fail, but in specific conditions that I am not aware of). For sure this is strictly related to MS AD configuration in which custom external ID is used.

            The static code analysis for this led me to the second scenario the issue occurs. I described it in "Steps to Reproduce" section.
            h3. Steps to Reproduce
             # Setup MS AD in Crowd (or in Embedded Crowd)
             # Configure custom external id (e.g. mail)
             # Disable directory cache
             # Call the endpoint `<{{{}crowdUrl>{}}}/rest/usermanagement/1/user?key=<dir_id>:<custom_external_id_value>`

            h3. Expected Results

            Any GUID validation should not be performed when custom external id is set - in other words, the GUID validation should not be performed when external id is mapped from a different attribute than ‘objectGUID’.
            h3. Actual Results

            Http response
            {noformat}
            {
               "reason": "ILLEGAL_ARGUMENT",
               "message": "guid should be of length 32 (as encoded by getGUIDAsString)"
            } {noformat}
            h3. Workaround

            Currently, there is no known workaround for this behavior. A workaround will be added here when available
            Daniel Serkowski made changes -
            Rank New: Ranked higher
            Daniel Serkowski created issue -

              07f034cb6f52 Daniel Serkowski
              07f034cb6f52 Daniel Serkowski
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: