Syncing with LDAP Directories Containing CNF Attributes Produces Error Code 34 BAD_NAME

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible


Problem

When Crowd or another Atlassian application using embedded Crowd attempts to sync with Active Directory it fails and produces an error message. The following appears in the atlassian-crowd.log or the other Atlassian application's log:

[atlassian.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ XXXXX ].
org.springframework.ldap.InvalidNameException: cn=XXXXXXXXXXXXX
cnf:XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX,ou=XXXXX,ou=XXXX,dc=XXXXX,dc=XXXXXX: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349

Diagnosis

Check the error in logs when syncing with the LDAP directory. You should notice a CNF attribute in the object DN.

Cause

This can be caused by the CNF attribute in the DN of the object causing an invalid name exception error. According to this Microsoft KB:

Active Directory supports multimaster replication of directory objects between all domain controllers in the domain. When replication of objects results in name conflicts (two objects have the same name within the same container), the system automatically renames one of these accounts to a unique name. For example, object ABC is renamed to CNF:guid, where "" represents a reserved character, "CNF" is a constant that indicates a conflict resolution, and "guid" represents a printable representation of the objectGuid attribute value.

Resolution

There is an improvement request created for Crowd to gracefully handle this error when finding a CNF attribute.

In order to sync with this directory you can try these alternatives:

  1. Remove the duplicated entries from the AD tree and make sure there are no duplicates replicating between AD domains. Check for this option with the AD administrator.
  2. Create an LDAP filter to avoid syncing with objects (Users and Groups) that containsCNF attributes. It should be something like this for groups:

LDAP Filter 
Should become something like:

(&(objectClass=group)(!(cnf=*)))

OR 

(&(objectCategory=Group)(!(cn=*cnf=*)))
 
OR 
 
(&(objectCategory=Group)(!(cn=*cnf:*)))

For more information about writing LDAP filters please see How to write LDAP search filters.


DescriptionCheck the error in logs when syncing with the LDAP directory. You should notice a CNF attribute in the object DN.
ProductJira, Confluence
PlatformServer, Cloud, Data Center
Last modified on Oct 19, 2018

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.