In 4.4.1 we have users which have duplicate accounts because of their separate account which is in a sub-domain. I have given the User Directory Sync the base DN, but it should not traverse to the sub-domain unless i explicitly tell it to do so. All other applications which search LDAP for Microsoft AD do not traverse to any sub-domains unless you tell it to do so. This is causing even more issues when i tested an upgrade to 4.4.3.

In 4.4.3 the User Directory Sync will not even run successfully because it gets to a group which is also in the sub-domain and throws an error.

2011-10-26 09:26:31,445 QuartzWorker-0 ERROR ServiceRunner [atlassian.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ 10000 ].
java.lang.IllegalArgumentException: duplicate key: Guests
at com.google.common.collect.RegularImmutableMap.<init>(RegularImmutableMap.java:62)
at com.google.common.collect.ImmutableMap$Builder.fromEntryList(ImmutableMap.java:210)
at com.google.common.collect.ImmutableMap$Builder.build(ImmutableMap.java:196)
at com.google.common.collect.Maps.uniqueIndex(Maps.java:456)
at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseMemberships(AbstractCacheRefresher.java:126)
at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:44)
at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:223)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:619)
at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:63)
at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:50)
at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJob.execute(DirectoryPollerJob.java:34)
at org.quartz.core.JobRunShell.run(JobRunShell.java:195)
at com.atlassian.multitenant.quartz.MultiTenantThreadPool$MultiTenantRunnable.run(MultiTenantThreadPool.java:72)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)

This is going to cause major issues and hence prevents us from even thinking about upgrading to any newer version than 4.4.1.

I have also looked into using the LDAP filter to filter out the sub-domain or only filter in the OUs that i want to Sync, but that is impossible. Due to the LDAP standard for Microsoft AD, you cannot use wildcards when filtering by distinguishedName, so it can't be filtered by OU by that method.