Problem

When sync'ing JIRA with Active Directory's global catalog via incremental sync and "Filter out expired users" is enabled, we noticed that all users are deleted and re-created. This results in a loss of all local group membership details.

Steps to Reproduce

• Setup JIRA and add AD user directory
  • For the port, input 3268 for the Global Catalog
  • Choose to allow local groups
  • Ensure "Filter out expired users" is enabled
• Save and sync - this will be a FULL sync as it is the first sync after the new configuration
• Add some users to local groups
• Sync with AD again - this time will be an INCREMENTAL sync
• Notice that all users lose their local groups

Investigation

• When using INCREMENTAL sync with "Filter out expired users", JIRA's ldapsearch includes a check for accountExpires
• accountExpires is not stored with Global Catalog: https://msdn.microsoft.com/en-us/library/ms675098(v=vs.85).aspx
  • In Global Catalog: False
• This causes the search to return no results, causing JIRA to believe no users exist
• Users are loosing session to login JIRA or got kick out

Full Sync:

2017-01-19 10:47:02,978 CrowdUsnChangedCacheRefresher:thread-1 DEBUG ServiceRunner     [c.a.crowd.directory.SpringLDAPConnector] Performing user search: baseDN = dc=example,dc=com - filter = (&(objectClass=user)(sAMAccountName=*))

Incremental Sync:

2017-01-19 13:00:25,745 Caesium-1-1 DEBUG ServiceRunner     [c.a.crowd.directory.MicrosoftActiveDirectory] Performing all objectGUID search: filter = (&(&(objectClass=user)(sAMAccountName=*))(|(accountExpires=0)(accountExpires>=131293332257440000)))

Workaround

• Disable "Filter out expired users"
• Disable Incremental Sync in the JIRA to AD configuration
• Or avoid connecting to the Global Catalog, connect to port 389