Confluence to LDAP synchronization fails with 'Unable to find the username of the principal' due to LDAP configuration
Platform Notice: Cloud and Data Center - This article applies equally to both cloud and data center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Symptoms
Unable to synchronize Confluence with LDAP and the following appears in the atlassian-confluence.log
2013-01-28 03:15:59,598 QuartzWorker-0 ERROR ServiceRunner [atlassian.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ 10000 ].
com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.UncategorizedLdapException: Unable to find the username of the principal.
at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAllUsers(UsnChangedCacheRefresher.java:266)
at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:40)
at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:223)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:619)
at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:63)
at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:50)
at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJob.execute(DirectoryPollerJob.java:34)
at org.quartz.core.JobRunShell.run(JobRunShell.java:195)
at com.atlassian.multitenant.quartz.MultiTenantThreadPool$MultiTenantRunnable.run(MultiTenantThreadPool.java:72)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)
Caused by: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.UncategorizedLdapException: Unable to find the username of the principal.Workaround
Exclude user objects with the missing User Name Attribute with an LDAP search filter. See more here on How to write LDAP search filters.
Cause
The User Name Attribute (ldap.user.username) specified in Confluence's LDAP connector (User Schema Settings) is not applicable for all or some users found in the LDAP filter specified. Some users found might be missing of this attribute.
For example, the attribute field used on the user object would be sAMAccountName for Active Directory Servers. If as user found has an empty value of this attribute, Confluence will fail to properly map these users during synchronization, causing the above exception.
Resolution
Resolution is to either
- Add the missing User Name Attribute into the objects that have a missing User Name Attribute specified, or to
- Add User Name Attribute into the User Object filter:
Adding the User Name Attribute into the User Object filter will ensure that Confluence only synchronizes objects that contain the User Name Attribute. For example:
- If
sAMAccountNameis used as the User Name Attribute, add (sAMAccountName=*) into the User Object Filter- User Object Filter:
(&(objectCategory=Person)(sAMAccountName=*))
- User Object Filter:
- If
mailis used as the User Name Attribute, add (mail=*) into the User Object Filter- User Object Filter:
(&(objectCategory=Person)(mail=*))
- User Object Filter:
Note that this means Confluence will only synchronize users that have the specified User Name Attribute. It will skip those who are missing of specified User Name Attribute
Confluence Application logs will contain the objects causing the failed synchronization