Confluence to LDAP synchronization fails with 'Unable to find the username of the principal' due to LDAP configuration

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Symptoms

Unable to synchronize Confluence with LDAP and the following appears in the atlassian-confluence.log

2013-01-28 03:15:59,598 QuartzWorker-0 ERROR ServiceRunner     [atlassian.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ 10000 ].
com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.UncategorizedLdapException: Unable to find the username of the principal.
	at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAllUsers(UsnChangedCacheRefresher.java:266)
	at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:40)
	at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:223)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:619)
	at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:63)
	at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:50)
	at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJob.execute(DirectoryPollerJob.java:34)
	at org.quartz.core.JobRunShell.run(JobRunShell.java:195)
	at com.atlassian.multitenant.quartz.MultiTenantThreadPool$MultiTenantRunnable.run(MultiTenantThreadPool.java:72)
	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)
Caused by: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.UncategorizedLdapException: Unable to find the username of the principal.

 

Workaround

Exclude user objects with the missing User Name Attribute with a LDAP search filter. See more here on How to write LDAP search filters.

Cause 1

The User Name Attribute (ldap.user.username) specified in Confluence's LDAP connector (User Schema Settings) is not applicable for all or some users found in the LDAP filter specified. Some users found might be missing of this attribute.

For example, the attribute field used on the user object would be sAMAccountName for Active Directory Servers. If as user found has an empty value of this attribute, Confluence will fail to properly map these users during synchronization, causing the above exception.

Resolution 1

Resolution is to either 

  • Add the missing User Name Attribute into the objects that have a missing User Name Attribute specified, or to 
  • Add User Name Attribute into the User Object filter:

Adding the User Name Attribute into the User Object filter will ensure that Confluence only synchronizes objects that contain the User Name Attribute.  For example:

  • If sAMAccountName is used as the User Name Attribute, add (sAMAccountName=*) into the User Object Filter
    • User Object Filter: (&(objectCategory=Person)(sAMAccountName=*))
  • If mail is used as the User Name Attribute, add (mail=*) into the User Object Filter
    • User Object Filter: (&(objectCategory=Person)(mail=*))

Note that this means Confluence will only synchronize users that have the specified User Name Attribute. It will skip those who are missing of specified User Name Attribute

(info) Confluence Application logs will contain the objects causing the failed synchronization

Cause 2 

 This was a bug in versions prior to Confluence version 3.5.x that has been fixed since:  CONFSERVER-22048 - Getting issue details... STATUS The issue happens after upgrading to Confluence version 3.5.x,

The exception is thrown if userSearchFilter element in your pre-Confluence 3.5 atlassian-user.xml file didn't restrict results to entities with a usernameAttribute. For instance if you are using Active Directory, the usernameAttribute should be set to sAMAccountName:

<usernameAttribute>sAMAccountName</usernameAttribute>

Resolution 2

  1.  Revert to your previous configuration and data, prior to upgrading.

  2. Update your filter in atlassian-user.xml to include your usernameAttribute.
    E.g. If you had:

    <userSearchFilter>(objectClass=person)</userSearchFilter>

    Then replace it with

    <userSearchFilter>(&amp;(objectClass=person)(sAMAccountName=*))</userSearchFilter>

    If your username attribute is sAMAccountName.

  3. Upgrade to Confluence version 3.5.x

Last modified on Nov 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.