Directory Syncronization Fails Against Active Directory Groups With Long Descriptions

XMLWordPrintable

    • 6.04

      Expected Behavior
      JIRA syncronization completes successfully.

      Actual Behavior
      JIRA fails to syncronize due to missing group attributes, and throws the following error:

      2015-05-21 10:57:04,939 atlassian-scheduler-quartz1.clustered_Worker-2 ERROR      [com.atlassian.scheduler.JobRunnerResponse] Unable to synchronise directory
com.atlassian.crowd.exception.OperationFailedException: Failed to synchronize directory group attributes for missing group: RDS Remote Access Servers
	at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAllGroupAttributes(AbstractCacheRefresher.java:129)
	at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:94)
	at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:168)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:1122)
	at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:76)
	at com.atlassian.jira.crowd.embedded.JiraDirectorySynchroniser.synchronizeDirectory(JiraDirectorySynchroniser.java:96)
	at com.atlassian.jira.crowd.embedded.JiraDirectorySynchroniser.runJob(JiraDirectorySynchroniser.java:60)
	at com.atlassian.scheduler.core.JobLauncher.runJob(JobLauncher.java:136)
	at com.atlassian.scheduler.core.JobLauncher.launchAndBuildResponse(JobLauncher.java:101)
	at com.atlassian.scheduler.core.JobLauncher.launch(JobLauncher.java:80)
	at com.atlassian.scheduler.quartz1.Quartz1Job.execute(Quartz1Job.java:32)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:223)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:549)

      Steps to Reproduce

      • Set up an Active Directory Server
      • Create an AD Group that has more than 255 characters in the description
      • Create a LDAP connector with minimal settings (no filters or anything like that)
      • Observe synchronization failure

      Environment:

      JIRA 6.4.3
      Windows Server 2012 R2 with AD at 2012R2 Functional level
      Directory Configuration used:

      Directory ID: 10000
Name: Active Directory server
Active: true
Type: CONNECTOR
Created date: Thu May 21 09:39:13 CDT 2015
Updated date: Thu May 21 11:54:32 CDT 2015
Allowed operations: [UPDATE_GROUP_ATTRIBUTE, UPDATE_USER_ATTRIBUTE]
Implementation class: com.atlassian.crowd.directory.MicrosoftActiveDirectory
Encryption type: sha
Attributes: 
    "autoAddGroups": ""
    "com.atlassian.crowd.directory.sync.currentstartsynctime": "null"
    "com.atlassian.crowd.directory.sync.issynchronising": "false"
    "com.atlassian.crowd.directory.sync.lastdurationms": "2960905"
    "com.atlassian.crowd.directory.sync.laststartsynctime": "1432224311907"
    "crowd.sync.incremental.enabled": "true"
    "directory.cache.synchronise.interval": "3600"
    "ldap.basedn": "dc=lab,dc=local"
    "ldap.connection.timeout": "10000"
    "ldap.external.id": "objectGUID"
    "ldap.group.description": "description"
    "ldap.group.dn": ""
    "ldap.group.filter": "(objectCategory=Group)"
    "ldap.group.name": "cn"
    "ldap.group.objectclass": "group"
    "ldap.group.usernames": "member"
    "ldap.local.groups": "false"
    "ldap.nestedgroups.disabled": "true"
    "ldap.pagedresults": "true"
    "ldap.pagedresults.size": "1000"
    "ldap.password": ********
    "ldap.pool.initsize": "null"
    "ldap.pool.maxsize": "null"
    "ldap.pool.prefsize": "null"
    "ldap.pool.timeout": "0"
    "ldap.propogate.changes": "false"
    "ldap.read.timeout": "120000"
    "ldap.referral": "true"
    "ldap.relaxed.dn.standardisation": "true"
    "ldap.roles.disabled": "true"
    "ldap.search.timelimit": "60000"
    "ldap.secure": "false"
    "ldap.url": "ldap://127.0.0.1:3268"
    "ldap.user.displayname": "displayName"
    "ldap.user.dn": ""
    "ldap.user.email": "mail"
    "ldap.user.encryption": "sha"
    "ldap.user.filter": "(&(objectCategory=Person)(sAMAccountName=*))"
    "ldap.user.firstname": "givenName"
    "ldap.user.group": "memberOf"
    "ldap.user.lastname": "sn"
    "ldap.user.objectclass": "user"
    "ldap.user.password": "unicodePwd"
    "ldap.user.username": "sAMAccountName"
    "ldap.user.username.rdn": "cn"
    "ldap.userdn": "ldap"
    "ldap.usermembership.use": "false"
    "ldap.usermembership.use.for.groups": "false"
    "localUserStatusEnabled": "false"

      Workaround

      • Exclude the following groups from directory synchronization through a Group Object Filter.

        RDS Endpoint Servers, Exchange Trusted Subsystem, RDS Remote Access Servers, RDS Management Servers, Help Desk

        You can use the following filter for this. 
        (&(objectClass=group)(!(cn=*RDS Endpoint Servers*))(!(cn=*Exchange Trusted Subsystem*))(!(cn=*RDS Remote Access Servers*))(!(cn=*RDS Management Servers*))(!(cn=*Help Desk*)))
      • Also, it depends on which missing groups are showing in the logs. You can refer the steps below to check the missing groups:
        1. Search for this "Failed to synchronize directory group attributes for missing group" exception in the logs (atlassian-jira.log)
        2. You will see something like this: 
          Failed to synchronize directory group attributes for missing group: FC Financial Practitioners Observations

          FC Financial Practitioners Observations is the missing group.

        3. Re-amend the group object filter like: 
          (&(objectClass=group)(!(cn=*FC Financial Practitioners Observations*)))

      Debugger Output

        1. 2015-05-21_11-51-26.png
          2015-05-21_11-51-26.png
          142 kB

            Assignee:
            gary
            Reporter:
            David Di Blasio (Inactive)
            Votes:
            55 Vote for this issue
            Watchers:
            67 Start watching this issue

              Created:
              Updated:
              Resolved: