Unable to Deactivate User That Belongs to an Active Directory (AD) User Directory With NULL Errors
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
While trying to deactivate a user that belongs to an AD user directory, the NULL error appears and user is unable to be deactivated:
The following appears in the atlassian-crowd.log
2016-03-03 13:57:17,889 http-bio-8095-exec-4078 ERROR [console.action.principal.UpdatePrincipal] null java.lang.NumberFormatException: null at java.lang.Long.parseLong(Long.java:552) at java.lang.Long.parseLong(Long.java:631) at com.atlassian.crowd.directory.ldap.mapper.attribute.UserAccountControlUtil.enabledUser(UserAccountControlUtil.java:25) at com.atlassian.crowd.directory.MicrosoftActiveDirectory.getUserModificationItems(MicrosoftActiveDirectory.java:927) at com.atlassian.crowd.directory.SpringLDAPConnector.updateUser(SpringLDAPConnector.java:1006) at com.atlassian.crowd.directory.DbCachingRemoteDirectory.updateUser(DbCachingRemoteDirectory.java:538) at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.updateUser(DirectoryManagerGeneric.java:365)
2016-03-03 13:58:24,248 http-bio-8095-exec-4039 ERROR [console.action.principal.UpdatePrincipal] User renaming is not supported for LDAP directories. com.atlassian.crowd.exception.OperationNotSupportedException: User renaming is not supported for LDAP directories. at com.atlassian.crowd.directory.SpringLDAPConnector.renameUser(SpringLDAPConnector.java:742) at com.atlassian.crowd.directory.DbCachingRemoteDirectory.renameUser(DbCachingRemoteDirectory.java:566) at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.renameUser(DirectoryManagerGeneric.java:390) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498)
Crowd unable to read a certain user attribute from AD. This caused Crowd to pass the attribute value "NULL", and therefore, Crowd throws the NULL error.
This issue arises when the AD user that Crowd is using to bind CROWD with AD has no permission to read this attribute.
Ensure that the AD user used to bind the external directory belongs to the built-in Administrators group on AD side.
As per described in the documentation:
Ensure that this is an administrator user for the LDAP engine. For example, in Active Directory the user will need to be a member of the built-in Administrators group. The specific privileges for the LDAP user that is used to connect to LDAP are bind and read (user info, group info, group membership, update sequence number, deleted objects). The need for admin privileges is because a normal user can't access uSNChanged attribute and deleted objects container, causing incremental sync to fail silently.