Directory Synchronization Failure Due to Default Group Caused Duplicate Entry

Still need help?

The Atlassian Community is here for you.

Ask the community

Symptoms

If Confluence is using CONNECTOR method to integrate with LDAP, and the configured Base DN is on the upper root of its LDAP Server tree, it's very likely that Confluence may found duplicate groups during the synchronisation. These groups are normally the default groups comes with the LDAP server (e.g. Microsoft Active Directory). The following appears in the atlassian-confluence/jira.log:

2012-01-16 17:39:44,085 ERROR [scheduler_Worker-6] [atlassian.crowd.directory.DbCachingDirectoryPoller] pollChanges Error occurred while refreshing the cache for directory [ 13528946 ].
java.lang.IllegalArgumentException: duplicate key: Domain Controllers 
at com.google.common.base.Preconditions.checkArgument(Preconditions.java:115) 
at com.google.common.collect.RegularImmutableMap.<init>(RegularImmutableMap.java:72) 
at com.google.common.collect.ImmutableMap$Builder.fromEntryList(ImmutableMap.java:221) 
at com.google.common.collect.ImmutableMap$Builder.build(ImmutableMap.java:207) 
at com.google.common.collect.Maps.uniqueIndex(Maps.java:571) 
at com.google.common.collect.Maps.uniqueIndex(Maps.java:527) 
at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseMemberships(AbstractCacheRefresher.java:126) 
at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:44) 
at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:223)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:619) 
at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:63)
at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:50) 
at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJobBean.executeInternal(DirectoryPollerJobBean.java:29) 
at org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86) 
at org.quartz.core.JobRunShell.run(JobRunShell.java:199) 
at com.atlassian.confluence.schedule.quartz.ConfluenceQuartzThreadPool$1.run(ConfluenceQuartzThreadPool.java:20) 
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:549)

The above stack trace describes that there are a duplicate groups called "Domain Controllers" which exists on every tree in the LDAP server.

Cause

Confluence LDAP integration doesn't allow duplicate groups or user within the same User Directory.

Resolution

  1. If possible, refine the Base DN and narrow it down to a more specific tree that only requires access to Confluence. 
  2. Create a search filter to exclude those duplicate groups which can be added to your Group Object Filter. For example:

    (&(objectCategory=Group)(!(cn=Domain Controllers)))

    (info) More details on writing LDAP search filters can be found at How to write LDAP search filters

    (info) There might be multiple groups that needs to be excluded, hence the first resolution is more recommended.

  3. Improvement request has been filed to merge the membership of the duplicate group rather than stopping the synchronization. CONF-23213 - Getting issue details... STATUS

 

 

 

 

 

   

 

 

 

 

 

Last modified on Feb 26, 2016

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.