Cannot synchronize all users from an Active Directory filter
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
The number of users created in Hipchat Server is less than what should be returned by the Active Directory (AD) filter.
Diagnosis
A. ldapsearch does not return all users
An ldapsearch
run from the Hipchat Server won't return all users who should be included in the AD filter:
ldapsearch -h <host> -p <port> -W -D <ad_cn_for_authentication> "<filter>"
In order to get a user count, you can grep
the previous result for sAMAccountName
—or any other attribute that is set for all users— and count the lines.
ldapsearch -h <host> -p <port> -W -D <ad_cn_for_authentication> "<filter>" | grep sAMAccountName | wc -l
Adding -E pr=10000/noprompt
to the ldapsearch
query makes it return all users —assuming they're less than 10,000:
ldapsearch -h <host> -p <port> -W -D <ad_cn_for_authentication> -E pr=10000/noprompt "<filter>"
B. ldapsearch returns no users at all
This could occur if you're using Microsoft AD and connecting via port 3268.
C. ldapsearch returns the right amount of users
Check /var/log/hipchat/atlassian-crowd.log for this error:
2017-02-16 10:37:34,935 hipchat-httpclient-callbacks:thread-808 ERROR [hipchat.sync.crowd.CrowdSyncManager] Got HTTP error 400 (Bad Request), with body
{
"error": {
"code": 400,
"message": "Unable to create user. You must purchase more licenses in order to add additional users",
"type": "Bad Request"
}
}
The above indicates all the license seats are occupied by other users and no more can be added.
Cause
- By default,
ldapsearch
returns only 1000 results. The same limit is the default for Hipchat Server under Server admin > Directory > Edit > Advanced Settings > Use Paged Results. - OR all license seats are all occupied and no more users can be created.
Resolution
A. There is a paged results limit
- Change the value of Server admin > Directory > Edit > Advanced Settings > Use Paged Results to a number that's bigger than your total user count.
- Change any AD server-side administrative limit to the number of items returned from a query.
Note: If there is a matching rule OID in the User Object Filter such as 1.2.840.113556.1.4.1941, please remove it as the LDAP filter in Hipchat Server does not support this and it will not work well to filter all required users.
B. Use a different port to connect to AD
Use port 389 versus 3268. More detail can be found in What Is the Global Catalog?:
The global catalog solves the problem of how to locate domain data that is not stored on a domain controller in the domain of the client that requires the information. By using different ports for standard LDAP queries (port 389) and global catalog queries (port 3268), AD DS effectively separates forest-wide queries that require a global catalog server from local, domainwide queries that can be serviced by the domain controller in the user’s domain.
C. License seats are all used
- Free-up seats by excluding users from the LDAP filter. Do not deactivate the users manually via the Hipchat Server UI. Users deactivated via the Hipchat Server UI will be re-activated during the next sync with the directory server.
- OR Upgrade the Hipchat Server license to handle more users.