Description

When Confluence is configured with a Delegated Authentication Directory linked to an external LDAP server, the authentication process involves communicating with the LDAP server to verify user credentials and can get more complex when LDAP referrals are enabled.

LDAP referrals allow parts of a directory tree to be distributed across multiple LDAP servers. This means a single LDAP server may not have all the necessary directory information but can refer requests to other LDAP servers that do. This setup is useful for managing large directory structures across different servers.

In scenarios where the "Follow Referrals" option is enabled in Confluence, the application follows these LDAP referrals to retrieve necessary user information. Confluence uses the configuration settings and schemas defined in its User Directory to initiate contact with the LDAP server's DNS. If the initial LDAP server doesn't have the required data, it refers the request to another LDAP server that does.

However, if the network environment is not optimally configured, these referral processes can introduce significant delays as each referral involves additional network hops and DNS lookups, which can lead to increased latency. If these delays exceed the configured timeout thresholds, user authentication attempts in Confluence may become sluggish or fail altogether.

Diagnosis

When a user from the Delegated user directory attempts to authenticate to Confluence, the following message is seen on the atlassian-security.log:

2023-05-19 15:34:39,205 INFO [https-jsse-nio-443-exec-21] [crowd.directory.ldap.SpringLdapTemplateWrapper] call Timed call for search with handler on dc=companyname,dc=com took 41633ms

When cross-referencing these entries with atlassian-confluence.log we have:

2023-05-19 15:34:39,209 ERROR [https-jsse-nio-443-exec-21] [atlassian.crowd.directory.DelegatedAuthenticationDirectory] updateGroups Could not update remote group imported memberships of user "username" in directory "Delegated authentication directory".
 -- url: /doauthenticate.action | traceId: 067c46d13bf8bdc3 | userName: username | referer: https://localhost/authenticate.action?destination=/admin/viewgeneralconfig.action | action: doauthenticate
com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.example.com:389 [Root exception is java.net.ConnectException: Connection timed out: connect]]
    at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntitiesWithRequestControls(SpringLDAPConnector.java:453)
    at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntities(SpringLDAPConnector.java:415)

...

Caused by: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.example.com:389 [Root exception is java.net.ConnectException: Connection timed out: connect]]
    at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:216)

....

Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.example.com:389 [Root exception is java.net.ConnectException: Connection timed out: connect]]
    at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(Unknown Source)
    at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(Unknown Source)
    at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(Unknown Source)
    at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(Unknown Source)
    at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(Unknown Source)
    at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(Unknown Source)
    at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(Unknown Source)
    at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(Unknown Source)

And the user authentication can take several minutes to complete or even fail.

Solution

To address slow user authentication and timeout errors in Confluence when using a Delegated LDAP directory with follow referrals enabled, consider the following steps:

To avoid disruptions in your production environment, we recommend testing any changes to Confluence in a staging environment first.

1. Review and Optimize LDAP Filters and Schemas:

   • Ensure that the LDAP search filters and schemas configured in Confluence are efficient. Inefficient filters can cause the LDAP queries to traverse the entire directory unnecessarily, leading to delays. Verify that the filters are specific enough to target only the necessary users and groups.

   • Consider consulting with your LDAP or Active Directory admin to tailor these filters to your organizational structure.

2. Check DNS Configuration:

   • Confirm that the server hosting Confluence is using the correct DNS server, ideally the one integrated with your Active Directory environment. Incorrect DNS settings can lead to delays in resolving LDAP server addresses, impacting authentication speed.

   • Ensure that the DNS server’s address or settings have not changed unexpectedly. Any changes should be updated in the network configuration of the Confluence server to maintain seamless LDAP connectivity.

3. Consider Disabling Follow Referrals: The Follow Referrals option in Confluence's directory settings can impact authentication performance. Disabling this option can help eliminate timeout issues caused by delays in following LDAP referrals across different domains.

   What are the implications of disabling 'Follow Referrals'?

   • Single Domain Setup: If your organization operates within a single domain, disabling follow referrals should not adversely affect user authentication. The LDAP queries will not need to navigate across referrals, resulting in faster response times.
   • Multiple Domains in a Forest: In environments with multiple domains joined in a forest, disabling follow referrals means that cross-domain group memberships will not be resolved. This could impact users who need to access resources across different domains.
     • Global Catalog as an Alternative: If cross-domain resolution is necessary, and DNS issues cannot be resolved, consider pointing Confluence to your Global Catalog server. The Global Catalog contains a partial replica of all objects in the forest, providing a read-only view that includes users, groups, and their memberships from all domains. Consult your Active Directory administrator for the appropriate connection details to the Global Catalog.

4. Collaborate with AD Administrators: Work closely with your Active Directory administrators to ensure that your LDAP configuration aligns with best practices and organizational requirements. They can provide insights into optimal LDAP settings and help troubleshoot any underlying issues with DNS or domain referrals.