User Lookups Fail With PartialResultExceptions
Searching for users in Crowd/JIRA/Confluence (with AD integrated) fails with the exception below:
Operation failed; nested exception is javax.naming.PartialResultException (root exception is javax.naming.communicationexception: mycompany.com:389(root exception is XXXXX: mycompany.com)
The root exception being represented by XXXXX, can be:
- Active Directory servers are integrated with DNS, and modify entries in the DNS server.
- Active Directory servers have a referral to themselves in the root of their LDAP tree.
- If the Crowd (or JIRA, or Confluence) server is pointed to the root of the LDAP tree, and "follow referrals" is turned on (which is the default), then:
- Crowd will search for users
- The AD server will respond with users and the referral that's in the root of the LDAP tree, because there could be more users over there
- Crowd will follow the referral. This will result in:
- A DNS lookup of the base DN (dc=mycompany,dc=com means a lookup for mycompany.com)
- A connection to port 389 or 636 at mycompany.com, which is back to the same server
- Crowd will continue and read the rest of the objects in the domain as normal.
If "java.net.UnknownHostException" is being reported
The root cause of the symptoms described would be:
Root exception is java.net.UnknownHostException: mycompany.com
This is step 6.1 failing - Crowd/JIRA/Confluence can't perform a DNS lookup on the referral in the AD server root.
Problems like this are most commonly caused by the server that Crowd running on not having the same DNS server as the Active Directory server.
To check if this is the case:
- Turn off 'Follow Referrals' in the 'Connector' tab.
- Connect to the root DN of your LDAP server.
- If no errors show in the logs, then it's a DNS error.
Below are some diagnostic steps to check that your AD server is accessible from Confluence, please do not use as a permanent solution:
- Changing LDAP port to global catalog port on 3268 instead of 389 (Global Catalogs does not tell the client to chase down referrals).
OR add the config below:
<ip address> activedirectory.yourcompany.com
In either of the following:
Fixing a DNS Configuration Issue
- The issue lies in the AD DNS configuration, thus is beyond our support scope. We suggest you to involve your AD administrator to fix this by configuring the server that Crowd is running on to use the DNS server that the Active Directory server is integrated with.
- If this is not possible, disable 'Follow Referrals'. See also .
What are the implications of disabling 'Follow Referrals'?
- If you only have one domain, there should be no adverse effects.
- If you have multiple domains joined in a Forest, then any cross-domain memberships will not be resolved.
- If you must have cross-domain memberships and you can't fix the DNS issues, then you can point Crowd at your Global Catalog. This is read-only, but it does contain all users, groups, and memberships from across your Forest. Talk to your AD admin for Global Catalog connection details.