Unable to Deactivate User That Belongs to an Active Directory (AD) User Directory With NULL Errors

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

While trying to deactivate a user that belongs to an AD user directory, the NULL error appears and user is unable to be deactivated:

The following appears in the atlassian-crowd.log.log

2016-03-03 13:57:17,889 http-bio-8095-exec-4078 ERROR [console.action.principal.UpdatePrincipal] null
java.lang.NumberFormatException: null
	at java.lang.Long.parseLong(Long.java:552)
	at java.lang.Long.parseLong(Long.java:631)
	at com.atlassian.crowd.directory.ldap.mapper.attribute.UserAccountControlUtil.enabledUser(UserAccountControlUtil.java:25)
	at com.atlassian.crowd.directory.MicrosoftActiveDirectory.getUserModificationItems(MicrosoftActiveDirectory.java:927)
	at com.atlassian.crowd.directory.SpringLDAPConnector.updateUser(SpringLDAPConnector.java:1006)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.updateUser(DbCachingRemoteDirectory.java:538)
	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.updateUser(DirectoryManagerGeneric.java:365)

Or

2016-03-03 13:58:24,248 http-bio-8095-exec-4039 ERROR [console.action.principal.UpdatePrincipal] User renaming is not supported for LDAP directories.
com.atlassian.crowd.exception.OperationNotSupportedException: User renaming is not supported for LDAP directories.
	at com.atlassian.crowd.directory.SpringLDAPConnector.renameUser(SpringLDAPConnector.java:742)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.renameUser(DbCachingRemoteDirectory.java:566)
	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.renameUser(DirectoryManagerGeneric.java:390)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)

Cause

Crowd unable to read a certain user attribute from AD. This caused Crowd to pass the attribute value "NULL", and therefore, Crowd throws the NULL error. 

This issue arises when the AD user that Crowd is using to bind CROWD with AD has no permission to read this attribute. 

Resolution

Ensure that the AD user used to bind the external directory belongs to the built-in Administrators group on AD side.

As per described in the documentation:

 

 

 

Ensure that this is an administrator user for the LDAP engine. For example, in Active Directory the user will need to be a member of the built-in Administrators group. The specific privileges for the LDAP user that is used to connect to LDAP are bind and read (user info, group info, group membership, update sequence number, deleted objects). The need for admin privileges is because a normal user can't access uSNChanged attribute and deleted objects container, causing incremental sync to fail silently.

 

Last modified on Nov 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.