Uploaded image for project: 'Jira Platform Cloud'
  1. Jira Platform Cloud
  2. JRACLOUD-26073

User Directory Sync using Microsoft AD pulls in groups and users from sub-domains when not requested.

XMLWordPrintable

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      In 4.4.1 we have users which have duplicate accounts because of their separate account which is in a sub-domain. I have given the User Directory Sync the base DN, but it should not traverse to the sub-domain unless i explicitly tell it to do so. All other applications which search LDAP for Microsoft AD do not traverse to any sub-domains unless you tell it to do so. This is causing even more issues when i tested an upgrade to 4.4.3.

      In 4.4.3 the User Directory Sync will not even run successfully because it gets to a group which is also in the sub-domain and throws an error.

      2011-10-26 09:26:31,445 QuartzWorker-0 ERROR ServiceRunner [atlassian.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ 10000 ].
      java.lang.IllegalArgumentException: duplicate key: Guests
      at com.google.common.collect.RegularImmutableMap.<init>(RegularImmutableMap.java:62)
      at com.google.common.collect.ImmutableMap$Builder.fromEntryList(ImmutableMap.java:210)
      at com.google.common.collect.ImmutableMap$Builder.build(ImmutableMap.java:196)
      at com.google.common.collect.Maps.uniqueIndex(Maps.java:456)
      at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseMemberships(AbstractCacheRefresher.java:126)
      at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:44)
      at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:223)
      at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:619)
      at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:63)
      at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:50)
      at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJob.execute(DirectoryPollerJob.java:34)
      at org.quartz.core.JobRunShell.run(JobRunShell.java:195)
      at com.atlassian.multitenant.quartz.MultiTenantThreadPool$MultiTenantRunnable.run(MultiTenantThreadPool.java:72)
      at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)

      This is going to cause major issues and hence prevents us from even thinking about upgrading to any newer version than 4.4.1.

      I have also looked into using the LDAP filter to filter out the sub-domain or only filter in the OUs that i want to Sync, but that is impossible. Due to the LDAP standard for Microsoft AD, you cannot use wildcards when filtering by distinguishedName, so it can't be filtered by OU by that method.

              Unassigned Unassigned
              c1ff22f20cdf Adam Barylak
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: