Syncing with LDAP Directories Containing CNF Attributes Produces Error Code 34 BAD_NAME

Still need help?

The Atlassian Community is here for you.

Ask the community

This article only applies to Atlassian's server products. Learn more about the differences between cloud and server.


Problem

When Crowd or another Atlassian application using embedded Crowd attempts to sync with Active Directory it fails and produces an error message. The following appears in the atlassian-crowd.log or the other Atlassian application's log:

[atlassian.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ XXXXX ].
org.springframework.ldap.InvalidNameException: cn=XXXXXXXXXXXXX
cnf:XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX,ou=XXXXX,ou=XXXX,dc=XXXXX,dc=XXXXXX: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349

Diagnosis

Check the error in logs when syncing with the LDAP directory. You should notice a CNF attribute in the object DN.

Cause

This can be caused by the CNF attribute in the DN of the object causing an invalid name exception error. According to this Microsoft KB:

Active Directory supports multimaster replication of directory objects between all domain controllers in the domain. When replication of objects results in name conflicts (two objects have the same name within the same container), the system automatically renames one of these accounts to a unique name. For example, object ABC is renamed to CNF:guid, where "" represents a reserved character, "CNF" is a constant that indicates a conflict resolution, and "guid" represents a printable representation of the objectGuid attribute value.

Resolution

There is an improvement request created for Crowd to gracefully handle this error when finding a CNF attribute.

In order to sync with this directory you can try these alternatives:

  1. Remove the duplicated entries from the AD tree and make sure there are no duplicates replicating between AD domains. Check for this option with the AD administrator.
  2. Create an LDAP filter to avoid syncing with objects (Users and Groups) that containsCNF attributes. It should be something like this for groups:

LDAP Filter
Should become something like:

(&(objectClass=group)(!(cnf=*)))

OR 

(&(objectCategory=Group)(!(cn=*cnf=*)))
 
OR 
 
(&(objectCategory=Group)(!(cn=*cnf:*)))

For more information about writing LDAP filters please see How to write LDAP search filters.


Description Check the error in logs when syncing with the LDAP directory. You should notice a CNF attribute in the object DN.
Product Jira, Confluence
Platform Server, Cloud, Data Center
Last modified on Oct 19, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.