Syncing with LDAP Directories Containing CNF Attributes Produces Error Code 34 BAD_NAME
Platform Notice: Server and Data Center Only. This article only applies to Atlassian products on the server and data center platforms.
When Crowd or another Atlassian application using embedded Crowd attempts to sync with Active Directory it fails and produces an error message. The following appears in the
atlassian-crowd.log or the other Atlassian application's log:
[atlassian.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ XXXXX ]. org.springframework.ldap.InvalidNameException: cn=XXXXXXXXXXXXX cnf:XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX,ou=XXXXX,ou=XXXX,dc=XXXXX,dc=XXXXXX: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349
Check the error in logs when syncing with the LDAP directory. You should notice a CNF attribute in the object DN.
This can be caused by the CNF attribute in the DN of the object causing an invalid name exception error. According to this Microsoft KB:
Active Directory supports multimaster replication of directory objects between all domain controllers in the domain. When replication of objects results in name conflicts (two objects have the same name within the same container), the system automatically renames one of these accounts to a unique name. For example, object ABC is renamed to CNF:guid, where "" represents a reserved character, "CNF" is a constant that indicates a conflict resolution, and "guid" represents a printable representation of the objectGuid attribute value.
There is an improvement request created for Crowd to gracefully handle this error when finding a CNF attribute.
In order to sync with this directory you can try these alternatives:
- Remove the duplicated entries from the AD tree and make sure there are no duplicates replicating between AD domains. Check for this option with the AD administrator.
- Create an LDAP filter to avoid syncing with objects (Users and Groups) that containsCNF attributes. It should be something like this for groups:
Should become something like: (&(objectClass=group)(!(cnf=*))) OR (&(objectCategory=Group)(!(cn=*cnf=*))) OR (&(objectCategory=Group)(!(cn=*cnf:*)))
For more information about writing LDAP filters please see How to write LDAP search filters.