Incremental Sync fails with "javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis" error

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.

 

Summary

Crowd records a "javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis" message in the logs when either an Authentication Test fails for certain users and/or when an incremental synchronization occurs between Crowd and an LDAP based directory service. 

Environment

3.7.0

Diagnosis

Within the Crowd application logs, the following error is recorded when an Authentication Test fails for certain users:

2020-07-15 11:26:43,868 http-nio-8095-exec-8 ERROR [console.action.application.ViewApplication] org.springframework.ldap.InvalidSearchFilterException: Unbalanced parenthesis; nested exception is javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'OU=Managed,OU=Groups,DC=abccompany,DC=com'
com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.InvalidSearchFilterException: Unbalanced parenthesis; nested exception is javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'OU=Managed,OU=Groups,DC=abccompany,DC=com'
	at com.atlassian.crowd.directory.SpringLDAPConnector.pageSearchResults(SpringLDAPConnector.java:421)
...


Likewise, the following error appears in the Crowd application logs when an incremental synchronization fails between Crowd an external directory service:

2020-07-15 11:22:49,790 Caesium-2-1 ERROR [atlassian.crowd.directory.DbCachingRemoteDirectory] Incremental synchronisation for directory [ 1234567 ] was unexpectedly interrupted, falling back to a full synchronisation
com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.InvalidSearchFilterException: Unbalanced parenthesis; nested exception is javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'OU=Managed,OU=Groups,DC=abccompany,DC=com'
	at com.atlassian.crowd.directory.SpringLDAPConnector.pageSearchResults(SpringLDAPConnector.java:421)
...


Within an application that's a client of Crowd (in this example Fisheye), similar errors may appear for a user when they try authenticating into the client application:

2020-07-28 08:02:18,147 ERROR - Could not authenticate user "joe_smith"
com.cenqua.fisheye.user.AuthenticationException: com.atlassian.crowd.exception.runtime.OperationFailedException
...
Caused by: com.atlassian.crowd.integration.rest.service.CrowdRestException: org.springframework.ldap.InvalidSearchFilterException: Unbalanced parenthesis; nested exception is javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'OU=Managed,OU=Groups,DC=abccompany,DC=com'


Cause

As indicated by the message, this error is triggered by an incorrectly configured user and/or group object filter. 

Solution

To fix this issue, review the directory's user and group object filters.  For reference, please see the following articles:

(info) If a filter is changed, the following error may still occur in the logs of the Crowd client application when it incrementally synchronizes with Crowd (for example, in Fisheye):

2020-07-29 11:32:29,805 ERROR - Could not authenticate user "joe_smith"
com.cenqua.fisheye.user.AuthenticationException: org.hibernate.exception.ConstraintViolationException: could not execute statement
	at com.cenqua.fisheye.user.embeddedcrowd.DefaultEmbeddedCrowdAuth.authenticate(DefaultEmbeddedCrowdAuth.java:76) [fisheye.jar:?]
...
Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: Violation of UNIQUE KEY constraint 'uk_mem_parent_child_type'. Cannot insert duplicate key in object 'dbo.cwd_membership'. The duplicate key value is (70, 613, GROUP_USER).
	at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDatabaseError(SQLServerException.java:262) [mssql-jdbc-7.2.2.jre8.jar:?]
...

To address this issue, the Crowd user directory entry within the client application will need to be recreated:

  1. First, log into the client application with a local admin account that's in client application's internal user directory.
  2. Next, open the administration console: Administration > User Settings > User Directories.
  3. Locate the Crowd user directory.
  4. Click Disable and then move the directory to the bottom of the directory list.
  5. Now, recreate a user directory for Crowd according to the appropriate documentation below and using the original directory configuration as a guide:
  6. Once the new Crowd directory within the client application has been created, synchronize the Crowd directory and check that users and groups have synchronized down to the client application.
  7. If this checks out, log out of the client application and try logging in with your external directory service account.


Last modified on Sep 24, 2020

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.