Cannot synchronize all users from an Active Directory filter

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

The number of users created in Hipchat Server is less than what should be returned by the Active Directory (AD) filter. 

Diagnosis

A. ldapsearch does not return all users

An ldapsearch run from the Hipchat Server won't return all users who should be included in the AD filter: 

ldapsearch -h <host> -p <port> -W -D <ad_cn_for_authentication> "<filter>"

In order to get a user count, you can grep the previous result for sAMAccountName —or any other attribute that is set for all users— and count the lines.

ldapsearch -h <host> -p <port> -W -D <ad_cn_for_authentication> "<filter>" | grep sAMAccountName | wc -l 

Adding -E pr=10000/noprompt to the ldapsearch query makes it return all users —assuming they're less than 10,000:

 ldapsearch -h <host> -p <port> -W -D <ad_cn_for_authentication> -E pr=10000/noprompt "<filter>"

B. ldapsearch returns no users at all

This could occur if you're using Microsoft AD and connecting via port 3268.

C. ldapsearch returns the right amount of users

Check /var/log/hipchat/atlassian-crowd.log for this error: 

2017-02-16 10:37:34,935 hipchat-httpclient-callbacks:thread-808 ERROR [hipchat.sync.crowd.CrowdSyncManager] Got HTTP error 400 (Bad Request), with body
{
  "error": {
    "code": 400,
    "message": "Unable to create user.  You must purchase more licenses in order to add additional users",
    "type": "Bad Request"
  }
}

The above indicates all the license seats are occupied by other users and no more can be added. 

Cause

  • By default, ldapsearch returns only 1000 results. The same limit is the default for Hipchat Server under Server admin > Directory > Edit > Advanced Settings > Use Paged Results.
  • OR all license seats are all occupied and no more users can be created.

Resolution

A. There is a paged results limit

  1. Change the value of Server admin > Directory > Edit > Advanced Settings > Use Paged Results to a number that's bigger than your total user count. 
  2. Change any AD server-side administrative limit to the number of items returned from a query.

Note: If there is a matching rule OID in the User Object Filter such as 1.2.840.113556.1.4.1941, please remove it as the LDAP filter in Hipchat Server does not support this and it will not work well to filter all required users. 

B. Use a different port to connect to AD

 

Use port 389 versus 3268. More detail can be found in What Is the Global Catalog?:

 

The global catalog solves the problem of how to locate domain data that is not stored on a domain controller in the domain of the client that requires the information. By using different ports for standard LDAP queries (port 389) and global catalog queries (port 3268), AD DS effectively separates forest-wide queries that require a global catalog server from local, domainwide queries that can be serviced by the domain controller in the user’s domain.

C. License seats are all used

  • Free-up seats by excluding users from the LDAP filter. Do not deactivate the users manually via the Hipchat Server UI.  Users deactivated via the Hipchat Server UI will be re-activated during the next sync with the directory server. 
  • OR Upgrade the Hipchat Server license to handle more users.

 

Last modified on Jan 19, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.