Improve error-checking and logging for users sharing the same User Unique ID Attribute when importing from LDAP services

XMLWordPrintable

    • 1

      Brief description:

      When importing users from an LDAP service, user objects coming in are not checked to be sure that there are no users with non-unique entries in the LDAP attribute assigned as the "User Unique ID Attribute". This can cause Jira to ignore imported users, even if they are correctly detected during the sync.

      Example scenario:

      If I customise my "User Unique ID Attribute" to be a custom LDAP attribute called "EmployeeNumber", but I have two users who are being imported to the Jira server who share the same "EmployeeNumber", Jira will import, but not throw any errors to indicate that the users are problematic.

      Two users with the same EmployeeNumber are brought in as per below demo data which we can see in the "atlassian-jira.log" files when we enable trace logging for the "com.atlassian.crowd.directory" package:

      2023-06-23 16:55:37,139+1000 Caesium-1-3 TRACE ServiceRunner     [c.a.c.d.ldap.monitoring.ExecutionInfoNameClassPairCallbackHandler] Search result uid=alan, with attributes {mail=mail: ashore@none.com, displayname=displayName: Alan Shore, givenname=givenName: Alan, employeenumber=employeeNumber: 0002, sn=sn: Shore, cn=cn: ashore} 
2023-06-23 16:55:37,139+1000 Caesium-1-3 TRACE ServiceRunner     [c.a.c.d.ldap.mapper.UserContextMapper] Created user <com.atlassian.crowd.model.user.LDAPUserWithAttributes@324ce9c8[dn=uid=alan,ou=users,dc=example,dc=com,directoryId=10000,name=ashore,active=true,emailAddress=ashore@none.com,firstName=Alan,lastName=Shore,displayName=Alan Shore,externalId=0002,attributes={}]> from DN <uid=alan,ou=Users,dc=example,dc=com>

      2023-06-23 16:55:37,140+1000 Caesium-1-3 TRACE ServiceRunner     [c.a.c.d.ldap.monitoring.ExecutionInfoNameClassPairCallbackHandler] Search result uid=boimler, with attributes {mail=mail: bradward@none.com, displayname=displayName: Brad Boimler, givenname=givenName: Bradward, employeenumber=employeeNumber: 0002, sn=sn: Thrace, cn=cn: boimler} 
2023-06-23 16:55:37,140+1000 Caesium-1-3 TRACE ServiceRunner     [c.a.c.d.ldap.mapper.UserContextMapper] Created user <com.atlassian.crowd.model.user.LDAPUserWithAttributes@33a65fdd[dn=uid=boimler,ou=users,dc=example,dc=com,directoryId=10000,name=boimler,active=true,emailAddress=bradward@none.com,firstName=Bradward,lastName=Thrace,displayName=Brad Boimler,externalId=0002,attributes={}]> from DN <uid=boimler,ou=Users,dc=example,dc=com>

      Note the two users different in the logs, but both share the same EmployeeNumber (or externalId).

      Later in the logs, we see errors where these users cannot be added to groups:

      2023-06-23 16:55:37,449+1000 Caesium-1-3 WARN ServiceRunner     [c.a.crowd.directory.DbCachingRemoteChangeOperations] Could not add the following missing users to group [ JiraSoftware ]: [ashore]

      But there is no explanation to why.

      Outcome:

      This can cause users to completely be missed from the import with no explanation which can cause users caught up in this very niche circumstance to be unable to log into Jira until the unique identifier issue is resolved.

      Recommendation:

      Jira should detect and actively show errors to administrators stating that there are users with non-unique entries in LDAP which need to be resolved to make it clearer. It should also be made clear as a "WARN" message in the "atlassian-jira.log" file.

            Assignee:
            Unassigned
            Reporter:
            Allan O'Rourke
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: