Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-5757

Custom external id attribute in MS AD is not handled properly

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Low Low
    • 4.4.1, 5.0.0
    • 4.0.5, 4.1.10, 4.3.5, 4.2.5, 4.4.0
    • Directory - LDAP
    • None

      Issue Summary

      This affects both Embedded Crowd and Crowd. It relates to using an external id set to a different value than the default 'objectGUID'.

      I found two scenarios in which the issue can occur:

      A) The incremental sync fails with the error (found in Jira 7.13.4)

      2021-12-07 13:19:21,189+0200 Caesium-1-1 ERROR ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] Incremental synchronisation for directory [ 11800 ] was unexpectedly interrupted, falling back to a full synchronisation
java.lang.IllegalArgumentException: guid should be of length 32 (as encoded by getGUIDAsString)
at com.google.common.base.Preconditions.checkArgument(Preconditions.java:141)
at com.atlassian.crowd.directory.ldap.util.GuidHelper.encodeGUIDForSearch(GuidHelper.java:73)
at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.encodeValue(EqualsExternalIdFilter.java:25)
at org.springframework.ldap.filter.CompareFilter.<init>(CompareFilter.java:36)
at org.springframework.ldap.filter.EqualsFilter.<init>(EqualsFilter.java:40)
at com.atlassian.crowd.search.ldap.filter.EqualsExternalIdFilter.<init>(EqualsExternalIdFilter.java:13)
at com.atlassian.crowd.search.ldap.ActiveDirectoryQueryTranslaterImpl.getStringTermEqualityFilter(ActiveDirectoryQueryTranslaterImpl.java:66)

      I could not reproduce it locally (it might fail, but in specific conditions that I am not aware of). For sure this is strictly related to MS AD configuration in which custom external ID is used.

      The static code analysis for this led me to the second scenario the issue occurs. I described it in "Steps to Reproduce" section.

      Steps to Reproduce

      1. Setup MS AD in Crowd (or in Embedded Crowd)
      2. Configure custom external id (e.g. mail)
      3. Disable directory cache
      4. Create an application and assign MS AD dir to it
      5. Call the endpoint `<crowdUrl>/rest/usermanagement/1/user?key=<dir_id>:<custom_external_id_value>` using application credentials set in the previous step to authenticate

      Expected Results

      Any GUID validation should not be performed when custom external id is set - in other words, the GUID validation should not be performed when external id is mapped from a different attribute than ‘objectGUID’.

      Actual Results

      Http response

      {
   "reason": "ILLEGAL_ARGUMENT",
   "message": "guid should be of length 32 (as encoded by getGUIDAsString)"
}

      Workaround

      Currently, there is no known workaround for this behavior. A workaround will be added here when available

          Form Name

            [CWD-5757] Custom external id attribute in MS AD is not handled properly

              07f034cb6f52 Daniel Serkowski
              07f034cb6f52 Daniel Serkowski
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: