-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
7.3.0, 7.10.2
-
7.03
-
46
-
Severity 3 - Minor
-
2
-
Problem
When sync'ing JIRA with Active Directory's global catalog via incremental sync and "Filter out expired users" is enabled, we noticed that all users are deleted and re-created. This results in a loss of all local group membership details.
Steps to Reproduce
- Setup JIRA and add AD user directory
- For the port, input 3268 for the Global Catalog
- Choose to allow local groups
- Ensure "Filter out expired users" is enabled
- Save and sync - this will be a FULL sync as it is the first sync after the new configuration
- Add some users to local groups
- Sync with AD again - this time will be an INCREMENTAL sync
- Notice that all users lose their local groups
Investigation
- When using INCREMENTAL sync with "Filter out expired users", JIRA's ldapsearch includes a check for accountExpires
- accountExpires is not stored with Global Catalog: https://msdn.microsoft.com/en-us/library/ms675098(v=vs.85).aspx
- In Global Catalog: False
- This causes the search to return no results, causing JIRA to believe no users exist
- Users are loosing session to login JIRA or got kick out
Full Sync:
2017-01-19 10:47:02,978 CrowdUsnChangedCacheRefresher:thread-1 DEBUG ServiceRunner [c.a.crowd.directory.SpringLDAPConnector] Performing user search: baseDN = dc=example,dc=com - filter = (&(objectClass=user)(sAMAccountName=*))
Incremental Sync:
2017-01-19 13:00:25,745 Caesium-1-1 DEBUG ServiceRunner [c.a.crowd.directory.MicrosoftActiveDirectory] Performing all objectGUID search: filter = (&(&(objectClass=user)(sAMAccountName=*))(|(accountExpires=0)(accountExpires>=131293332257440000)))
Workaround
- Disable "Filter out expired users"
- Disable Incremental Sync in the JIRA to AD configuration
- Or avoid connecting to the Global Catalog, connect to port 389
- is related to
-
JRASERVER-71258 Jira should show a warning when setting User Directory with specific problematic settings
- Gathering Interest