Bitbucket Server not retrieving users from Active Directory

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

Even though the Active Directory server is reachable from Bitbucket Server and the user, group, and membership attributes are configured correctly, no users are synced.

There are no error messages in the logs, but debug logging shows that zero users have been synced:

2018-05-10 16:38:39,135 DEBUG [CrowdUsnChangedCacheRefresher:thread-1] c.a.c.directory.SpringLDAPConnector Performing user search: baseDN = DC=example,DC=com - filter = (&(&(objectclass=user)(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(|(accountExpires=0)(accountExpires>=131704436715550000))) in directory 7634945
...
2018-05-10 16:38:39,140 DEBUG [CrowdUsnChangedCacheRefresher:thread-2] c.a.c.d.l.SpringLdapTemplateWrapper Timed call for search with handler on baseDN: CN=stash-users,OU=Groups,DC=example,DC=com, filter: (&(objectCategory=Group)(|(cn=jira-test)(cn=confluence-test)(cn=stash-test)(cn=jira-users))) took 4ms
...
2018-05-10 16:38:40,800 DEBUG [Caesium-1-4]  c.a.s.i.crowd.HibernateDirectoryDao Updating object: com.atlassian.crowd.model.directory.DirectoryImpl@3c96ef05[lowerName=test_ldap,description=<null>,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.MicrosoftActiveDirectory,allowedOperations=[CREATE_GROUP, UPDATE_GROUP_ATTRIBUTE, DELETE_GROUP, UPDATE_GROUP, UPDATE_USER_ATTRIBUTE],attributes={ldap.basedn=DC=example,DC=com, ldap.user.filter=(&(objectclass=user)(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))), ldap.user.username=sAMAccountName, ldap.usermembership.use=false, com.atlassian.crowd.directory.sync.lastdurationms=84, ldap.group.usernames=member, ldap.pagedresults.size=1000, ldap.read.timeout=120000, ldap.connection.timeout=10000, ldap.group.filter=(&(objectCategory=Group)(|(cn=jira-test)(cn=confluence-test)(cn=stash-test)(cn=jira-users))), ldap.userdn=CN=AD Reader,OU=Service Accounts,OU=HQ,OU=Administration,DC=example,DC=com, ldap.roles.disabled=true, ldap.external.id=objectGUID, ldap.url=ldap://example.com:3268, ldap.pagedresults=true, ldap.user.password=unicodePwd, ldap.user.lastname=sn, ldap.group.name=cn, ldap.referral=true, com.atlassian.crowd.directory.sync.issynchronising=true, ldap.group.dn=CN=stash-users,OU=Groups, ldap.relaxed.dn.standardisation=true, ldap.user.firstname=givenName, com.atlassian.crowd.directory.sync.currentstartsynctime=1525805807800, ldap.password=********, autoAddGroups=, crowd.sync.incremental.enabled=false, crowd.sync.group.membership.after.successful.user.auth.enabled=true, ldap.usermembership.use.for.groups=false, ldap.user.objectclass=user, directory.cache.synchronise.interval=3600, ldap.nestedgroups.disabled=false, ldap.secure=false, ldap.user.username.rdn=cn, ldap.propogate.changes=false, ldap.pool.timeout=0, ldap.user.displayname=displayName, com.atlassian.crowd.directory.sync.laststartsynctime=1525805265781, ldap.user.email=mail, ldap.user.group=memberOf, localUserStatusEnabled=true, ldap.user.encryption=sha, ldap.local.groups=true, ldap.group.description=description, ldap.user.dn=, ldap.group.objectclass=group, ldap.filter.expiredUsers=true, ldap.search.timelimit=60000}]
2018-05-08 18:56:47,811 INFO  [Caesium-1-4]  c.a.c.d.DbCachingRemoteDirectory FULL synchronisation for directory [ 7634945 ] starting
2018-05-08 18:56:47,817 INFO  [CrowdUsnChangedCacheRefresher:thread-1]  c.a.c.d.l.c.UsnChangedCacheRefresher found [ 0 ] remote users in [ 5ms ]
2018-05-08 18:56:47,818 INFO  [CrowdUsnChangedCacheRefresher:thread-2]  c.a.c.d.l.c.UsnChangedCacheRefresher found [ 1 ] remote groups in [ 6ms ]
2018-05-08 18:56:47,819 INFO  [Caesium-1-4]  c.a.c.d.DbCachingRemoteChangeOperations scanned and compared [ 0 ] users for delete in DB cache in [ 2ms ]
2018-05-08 18:56:47,819 INFO  [Caesium-1-4]  c.a.c.d.DbCachingRemoteChangeOperations scanned for deleted users in [ 2ms ]
2018-05-08 18:56:47,821 INFO  [Caesium-1-4]  c.a.c.d.DbCachingRemoteChangeOperations scanning [ 0 ] users to add or update
2018-05-08 18:56:47,821 INFO  [Caesium-1-4]  c.a.c.d.DirectoryCacheImplUsingChangeOperations scanned and compared [ 0 ] users for update in DB cache in [ 1ms ]
2018-05-08 18:56:47,821 INFO  [Caesium-1-4]  c.a.c.d.DirectoryCacheImplUsingChangeOperations synchronised [ 0 ] users in [ 1ms ]
2018-05-08 18:56:47,824 INFO  [Caesium-1-4]  c.a.c.d.DbCachingRemoteChangeOperations scanned and compared [ 1 ] groups for delete in DB cache in [ 3ms ]
2018-05-08 18:56:47,825 INFO  [Caesium-1-4]  c.a.c.d.DirectoryCacheImplUsingChangeOperations scanning [ 1 ] groups to add or update
2018-05-08 18:56:47,826 INFO  [Caesium-1-4]  c.a.c.d.DbCachingRemoteChangeOperations scanned and compared [ 1 ] groups for update in DB cache in [ 1ms ]
2018-05-08 18:56:47,827 INFO  [Caesium-1-4]  c.a.c.d.DirectoryCacheImplUsingChangeOperations synchronized [ 1 ] groups in [ 2ms ]
2018-05-08 18:56:47,827 INFO  [Caesium-1-4]  c.a.c.d.RFC4519DirectoryMembershipsIterable Searching for children of 1 groups
2018-05-08 18:56:47,838 INFO  [Caesium-1-4]  c.a.c.d.RFC4519DirectoryMembershipsIterable Found 1 children for 1 groups in 11 ms
2018-05-08 18:56:47,839 INFO  [Caesium-1-4]  c.a.c.d.RFC4519DirectoryMembershipsIterable Fetching details for 314 entities for membership resolution
2018-05-08 18:56:47,889 INFO  [Caesium-1-4]  c.a.c.d.DbCachingRemoteDirectory FULL synchronisation complete for directory [ 7634945 ] in [ 78ms ]

Diagnosis

Environment

  • This issue was replicated in Bitbucket Server 5.8.1, which uses version 2.12.0 of the embedded Crowd library.

Diagnostic Steps

  • The exact same LDAP configuration works in Stash 3.11.2, which has Crowd 2.8.4-m1 libraries embedded

Cause

Even though the accountExpires attribute was not added in the user filter, in Crowd 2.12.0 a check for accountExpires was added and from that version onwards Crowd (and thus embedded Crowd) is filtering out users that are expired.

From the AD directory configuration shown in the log excerpt above we can see that the instance connects to a Global Catalog (as it is connecting to port number 3268) rather than to a regular LDAP service (which uses port 389 by default) and the accountExpires attribute is unfortunately not replicated to a Global Catalog in Active Directory. This was reported as a bug in Crowd, and was fixed in Crowd versions 3.0.2 and 3.1.1.

The latest version of Bitbucket Server (currently 6.0) does come bundled Crowd 3.3, where the bug is fixed. Older versions of Bitbucket Server do not bundle these newer Crowd library versions.

Workarounds

If using embedded Crowd version 2.12.0:

  • Disable the Filter out expired users setting in the AD directory configured in Bitbucket Server
    OR
  • Connect to port 389, instead of to 3268

If using embedded Crowd versions older than 2.12.0:

  • This issue only impacts Incremental sync, so disabling incremental sync is a possible workaround for those versions.

Resolution

Upgrade to Bitbucket Server version 6.0 – which comes bundled with Crowd 3.3.0 where this bug is fixed


Last modified on Feb 13, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.