Details
-
Bug
-
Resolution: Fixed
-
Medium
-
6.4, 6.4.3, 6.4.5, 6.4.6, 6.4.7, 6.4.12
-
6.04
-
Description
Expected Behavior
JIRA syncronization completes successfully.
Actual Behavior
JIRA fails to syncronize due to missing group attributes, and throws the following error:
2015-05-21 10:57:04,939 atlassian-scheduler-quartz1.clustered_Worker-2 ERROR [com.atlassian.scheduler.JobRunnerResponse] Unable to synchronise directory com.atlassian.crowd.exception.OperationFailedException: Failed to synchronize directory group attributes for missing group: RDS Remote Access Servers at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAllGroupAttributes(AbstractCacheRefresher.java:129) at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:94) at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:168) at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:1122) at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:76) at com.atlassian.jira.crowd.embedded.JiraDirectorySynchroniser.synchronizeDirectory(JiraDirectorySynchroniser.java:96) at com.atlassian.jira.crowd.embedded.JiraDirectorySynchroniser.runJob(JiraDirectorySynchroniser.java:60) at com.atlassian.scheduler.core.JobLauncher.runJob(JobLauncher.java:136) at com.atlassian.scheduler.core.JobLauncher.launchAndBuildResponse(JobLauncher.java:101) at com.atlassian.scheduler.core.JobLauncher.launch(JobLauncher.java:80) at com.atlassian.scheduler.quartz1.Quartz1Job.execute(Quartz1Job.java:32) at org.quartz.core.JobRunShell.run(JobRunShell.java:223) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:549)
Steps to Reproduce
- Set up an Active Directory Server
- Create an AD Group that has more than 255 characters in the description
- Create a LDAP connector with minimal settings (no filters or anything like that)
- Observe synchronization failure
Environment:
JIRA 6.4.3
Windows Server 2012 R2 with AD at 2012R2 Functional level
Directory Configuration used:
Directory ID: 10000
Name: Active Directory server
Active: true
Type: CONNECTOR
Created date: Thu May 21 09:39:13 CDT 2015
Updated date: Thu May 21 11:54:32 CDT 2015
Allowed operations: [UPDATE_GROUP_ATTRIBUTE, UPDATE_USER_ATTRIBUTE]
Implementation class: com.atlassian.crowd.directory.MicrosoftActiveDirectory
Encryption type: sha
Attributes:
"autoAddGroups": ""
"com.atlassian.crowd.directory.sync.currentstartsynctime": "null"
"com.atlassian.crowd.directory.sync.issynchronising": "false"
"com.atlassian.crowd.directory.sync.lastdurationms": "2960905"
"com.atlassian.crowd.directory.sync.laststartsynctime": "1432224311907"
"crowd.sync.incremental.enabled": "true"
"directory.cache.synchronise.interval": "3600"
"ldap.basedn": "dc=lab,dc=local"
"ldap.connection.timeout": "10000"
"ldap.external.id": "objectGUID"
"ldap.group.description": "description"
"ldap.group.dn": ""
"ldap.group.filter": "(objectCategory=Group)"
"ldap.group.name": "cn"
"ldap.group.objectclass": "group"
"ldap.group.usernames": "member"
"ldap.local.groups": "false"
"ldap.nestedgroups.disabled": "true"
"ldap.pagedresults": "true"
"ldap.pagedresults.size": "1000"
"ldap.password": ********
"ldap.pool.initsize": "null"
"ldap.pool.maxsize": "null"
"ldap.pool.prefsize": "null"
"ldap.pool.timeout": "0"
"ldap.propogate.changes": "false"
"ldap.read.timeout": "120000"
"ldap.referral": "true"
"ldap.relaxed.dn.standardisation": "true"
"ldap.roles.disabled": "true"
"ldap.search.timelimit": "60000"
"ldap.secure": "false"
"ldap.url": "ldap://127.0.0.1:3268"
"ldap.user.displayname": "displayName"
"ldap.user.dn": ""
"ldap.user.email": "mail"
"ldap.user.encryption": "sha"
"ldap.user.filter": "(&(objectCategory=Person)(sAMAccountName=*))"
"ldap.user.firstname": "givenName"
"ldap.user.group": "memberOf"
"ldap.user.lastname": "sn"
"ldap.user.objectclass": "user"
"ldap.user.password": "unicodePwd"
"ldap.user.username": "sAMAccountName"
"ldap.user.username.rdn": "cn"
"ldap.userdn": "ldap"
"ldap.usermembership.use": "false"
"ldap.usermembership.use.for.groups": "false"
"localUserStatusEnabled": "false"
Workaround
- Exclude the following groups from directory synchronization through a Group Object Filter.
You can use the following filter for this.RDS Endpoint Servers, Exchange Trusted Subsystem, RDS Remote Access Servers, RDS Management Servers, Help Desk
(&(objectClass=group)(!(cn=*RDS Endpoint Servers*))(!(cn=*Exchange Trusted Subsystem*))(!(cn=*RDS Remote Access Servers*))(!(cn=*RDS Management Servers*))(!(cn=*Help Desk*)))
- Also, it depends on which missing groups are showing in the logs. You can refer the steps below to check the missing groups:
- Search for this "Failed to synchronize directory group attributes for missing group" exception in the logs (atlassian-jira.log)
- You will see something like this:
Failed to synchronize directory group attributes for missing group: FC Financial Practitioners Observations
FC Financial Practitioners Observations is the missing group. - Re-amend the group object filter like:
(&(objectClass=group)(!(cn=*FC Financial Practitioners Observations*)))
Debugger Output
