Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-43495

Directory Syncronization Fails Against Active Directory Groups With Long Descriptions

XMLWordPrintable

      Expected Behavior
      JIRA syncronization completes successfully.

      Actual Behavior
      JIRA fails to syncronize due to missing group attributes, and throws the following error:

      2015-05-21 10:57:04,939 atlassian-scheduler-quartz1.clustered_Worker-2 ERROR      [com.atlassian.scheduler.JobRunnerResponse] Unable to synchronise directory
com.atlassian.crowd.exception.OperationFailedException: Failed to synchronize directory group attributes for missing group: RDS Remote Access Servers
	at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAllGroupAttributes(AbstractCacheRefresher.java:129)
	at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:94)
	at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:168)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:1122)
	at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:76)
	at com.atlassian.jira.crowd.embedded.JiraDirectorySynchroniser.synchronizeDirectory(JiraDirectorySynchroniser.java:96)
	at com.atlassian.jira.crowd.embedded.JiraDirectorySynchroniser.runJob(JiraDirectorySynchroniser.java:60)
	at com.atlassian.scheduler.core.JobLauncher.runJob(JobLauncher.java:136)
	at com.atlassian.scheduler.core.JobLauncher.launchAndBuildResponse(JobLauncher.java:101)
	at com.atlassian.scheduler.core.JobLauncher.launch(JobLauncher.java:80)
	at com.atlassian.scheduler.quartz1.Quartz1Job.execute(Quartz1Job.java:32)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:223)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:549)

      Steps to Reproduce

      • Set up an Active Directory Server
      • Create an AD Group that has more than 255 characters in the description
      • Create a LDAP connector with minimal settings (no filters or anything like that)
      • Observe synchronization failure

      Environment:

      JIRA 6.4.3
      Windows Server 2012 R2 with AD at 2012R2 Functional level
      Directory Configuration used:

      Directory ID: 10000
Name: Active Directory server
Active: true
Type: CONNECTOR
Created date: Thu May 21 09:39:13 CDT 2015
Updated date: Thu May 21 11:54:32 CDT 2015
Allowed operations: [UPDATE_GROUP_ATTRIBUTE, UPDATE_USER_ATTRIBUTE]
Implementation class: com.atlassian.crowd.directory.MicrosoftActiveDirectory
Encryption type: sha
Attributes: 
    "autoAddGroups": ""
    "com.atlassian.crowd.directory.sync.currentstartsynctime": "null"
    "com.atlassian.crowd.directory.sync.issynchronising": "false"
    "com.atlassian.crowd.directory.sync.lastdurationms": "2960905"
    "com.atlassian.crowd.directory.sync.laststartsynctime": "1432224311907"
    "crowd.sync.incremental.enabled": "true"
    "directory.cache.synchronise.interval": "3600"
    "ldap.basedn": "dc=lab,dc=local"
    "ldap.connection.timeout": "10000"
    "ldap.external.id": "objectGUID"
    "ldap.group.description": "description"
    "ldap.group.dn": ""
    "ldap.group.filter": "(objectCategory=Group)"
    "ldap.group.name": "cn"
    "ldap.group.objectclass": "group"
    "ldap.group.usernames": "member"
    "ldap.local.groups": "false"
    "ldap.nestedgroups.disabled": "true"
    "ldap.pagedresults": "true"
    "ldap.pagedresults.size": "1000"
    "ldap.password": ********
    "ldap.pool.initsize": "null"
    "ldap.pool.maxsize": "null"
    "ldap.pool.prefsize": "null"
    "ldap.pool.timeout": "0"
    "ldap.propogate.changes": "false"
    "ldap.read.timeout": "120000"
    "ldap.referral": "true"
    "ldap.relaxed.dn.standardisation": "true"
    "ldap.roles.disabled": "true"
    "ldap.search.timelimit": "60000"
    "ldap.secure": "false"
    "ldap.url": "ldap://127.0.0.1:3268"
    "ldap.user.displayname": "displayName"
    "ldap.user.dn": ""
    "ldap.user.email": "mail"
    "ldap.user.encryption": "sha"
    "ldap.user.filter": "(&(objectCategory=Person)(sAMAccountName=*))"
    "ldap.user.firstname": "givenName"
    "ldap.user.group": "memberOf"
    "ldap.user.lastname": "sn"
    "ldap.user.objectclass": "user"
    "ldap.user.password": "unicodePwd"
    "ldap.user.username": "sAMAccountName"
    "ldap.user.username.rdn": "cn"
    "ldap.userdn": "ldap"
    "ldap.usermembership.use": "false"
    "ldap.usermembership.use.for.groups": "false"
    "localUserStatusEnabled": "false"

      Workaround

      • Exclude the following groups from directory synchronization through a Group Object Filter.

        RDS Endpoint Servers, Exchange Trusted Subsystem, RDS Remote Access Servers, RDS Management Servers, Help Desk

        You can use the following filter for this. 
        (&(objectClass=group)(!(cn=*RDS Endpoint Servers*))(!(cn=*Exchange Trusted Subsystem*))(!(cn=*RDS Remote Access Servers*))(!(cn=*RDS Management Servers*))(!(cn=*Help Desk*)))
      • Also, it depends on which missing groups are showing in the logs. You can refer the steps below to check the missing groups:
        1. Search for this "Failed to synchronize directory group attributes for missing group" exception in the logs (atlassian-jira.log)
        2. You will see something like this: 
          Failed to synchronize directory group attributes for missing group: FC Financial Practitioners Observations

          FC Financial Practitioners Observations is the missing group.

        3. Re-amend the group object filter like: 
          (&(objectClass=group)(!(cn=*FC Financial Practitioners Observations*)))

      Debugger Output

        1. 2015-05-21_11-51-26.png
          2015-05-21_11-51-26.png
          142 kB

            [JRASERVER-43495] Directory Syncronization Fails Against Active Directory Groups With Long Descriptions

            Dennis Schuppentier added a comment -

            As Microsoft localizes those Group Names, the filter has to be adjusted for languages other than English, for example for German:

            (&(objectClass=group)(!(cn=*RDS-Endpunktserver*))(!(cn=*Exchange Trusted Subsystem*))(!(cn=*RDS-Remotezugriffsserver))(!(cn=*RDS-Verwaltungsserver*))(!(cn=*Help Desk*)))

            Dennis Schuppentier added a comment - As Microsoft localizes those Group Names, the filter has to be adjusted for languages other than English, for example for German: (&(objectClass=group)(!(cn=*RDS-Endpunktserver*))(!(cn=*Exchange Trusted Subsystem*))(!(cn=*RDS-Remotezugriffsserver))(!(cn=*RDS-Verwaltungsserver*))(!(cn=*Help Desk*)))

            Deleted Account (Inactive) added a comment -

            We had many AD groups that had more than 255 characters in the description. So instead of using "description" for the group description attribute, we just used "cn". That was how we worked around this issue.

            Deleted Account (Inactive) added a comment - We had many AD groups that had more than 255 characters in the description. So instead of using "description" for the group description attribute, we just used "cn". That was how we worked around this issue.

            Heshan Manamperi added a comment -

            Hi All,

            Can someone please let me know, is this affected JIRA environment which use crowd between AD and JIRA?

            Thanks in Advance,
            Heshan

            Heshan Manamperi added a comment - Hi All, Can someone please let me know, is this affected JIRA environment which use crowd between AD and JIRA? Thanks in Advance, Heshan

            Oswaldo Hernandez (Inactive) added a comment -

            Hi felix.grund,

            We have probably fixed the issue in a different way. Our fix was done in JIRA's OfBizGroupDao

            Cheers,
            Os.

            Oswaldo Hernandez (Inactive) added a comment - Hi felix.grund , We have probably fixed the issue in a different way. Our fix was done in JIRA's OfBizGroupDao Cheers, Os.

            Felix Grund (Scandio) added a comment -

            Hi Oswaldo! I don't really understand. In my opinion, the issue is in the embedded Crowd libraries (at least the code I found and patched around). These libraries should be exactly the same in JIRA and Confluence, shouldn't they?

            Felix Grund (Scandio) added a comment - Hi Oswaldo! I don't really understand. In my opinion, the issue is in the embedded Crowd libraries (at least the code I found and patched around). These libraries should be exactly the same in JIRA and Confluence, shouldn't they?

            Oswaldo Hernandez (Inactive) added a comment -

            The fix was done in JIRA felix.grund.

            Consequently, if confluence suffers from the same issue a similar fix will have to be developed against the confluence code base.

            I suggest you to raise another issue in the CONF project if that is the case.

            Regards,

            Oswaldo Hernández.
            JIRA Bugmaster.
            [Atlassian].

            Oswaldo Hernandez (Inactive) added a comment - The fix was done in JIRA felix.grund . Consequently, if confluence suffers from the same issue a similar fix will have to be developed against the confluence code base. I suggest you to raise another issue in the CONF project if that is the case. Regards, Oswaldo Hernández. JIRA Bugmaster. [Atlassian] .

            Heshan Manamperi added a comment -

            we use crowd as authentication directory and AD is connected to crowd. So will this bug affect crowd connected JIRA instances?

            Heshan Manamperi added a comment - we use crowd as authentication directory and AD is connected to crowd. So will this bug affect crowd connected JIRA instances?

            Felix Grund (Scandio) added a comment -

            I assume that this is a fix in the embedded crowd libraries that are also shipped with Confluence? If so, could you provide the Crowd version in which this is resolved?

            Felix Grund (Scandio) added a comment - I assume that this is a fix in the embedded crowd libraries that are also shipped with Confluence? If so, could you provide the Crowd version in which this is resolved?

            Martin Cleaver added a comment - - edited

            Great to see this is resolved. Yes, please backport - we have various clients on 6.x

            Thanks,
            Martin

            Martin Cleaver added a comment - - edited Great to see this is resolved. Yes, please backport - we have various clients on 6.x Thanks, Martin

            Xoom Atlassian Administrator added a comment -

            Hello,

            Can you please add JIRA version 6.4.5. We just upgrade from 6.2 to 6.4.5 and we are just having this issue now.

            Thanks,
            Reanal

            Xoom Atlassian Administrator added a comment - Hello, Can you please add JIRA version 6.4.5. We just upgrade from 6.2 to 6.4.5 and we are just having this issue now. Thanks, Reanal

              gevesson@atlassian.com gary
              ddiblasio David Di Blasio
              Affected customers:
              55 This affects my team
              Watchers:
              67 Start watching this issue

                Created:
                Updated:
                Resolved: