LDAP User Unable to Login to Hipchat Server due to Membership in Restricted Group

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

This version of Hipchat Server is no longer supported

This article applies to a version of Hipchat Server which is beyond the Atlassian End of Life policy, and is no longer supported.

When was my version deprecated?

The following versions have been deprecated:

  • Hipchat Server 1.3 (EOL Date: Aug 17, 2017)

The following versions will be deprecated soon:

  • Hipchat Server 2.0 (EOL Date: Jun 17, 2018)
  • Hipchat Server 2.1 (EOL Date: Dec 8, 2018)
  • Hipchat Server 2.2 (EOL Date: May 30, 2019)

You can read more about Atlassian's End of Life policy here

You should upgrade to a more recent version of Hipchat Server as soon as you can to take advantage of new features, and security and bug fixes. If possible, you should also consider deploying Hipchat Data Center instead.

Problem

LDAP users were not able to login.

The following appears in the /var/log/hipchat/atlassian-crowd.log

2016-02-13 04:28:35,648 http-bio-8095-exec-3 ERROR [common.error.jersey.ThrowableExceptionMapper] Uncaught exception thrown by REST service: at index 18
java.lang.NullPointerException: at index 18
	at com.google.common.collect.ImmutableList.checkElementNotNull(ImmutableList.java:305)
	at com.google.common.collect.ImmutableList.construct(ImmutableList.java:296)
	at com.google.common.collect.ImmutableList.copyFromCollection(ImmutableList.java:289)
	at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:247)
	at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:217)
	at com.atlassian.crowd.directory.MicrosoftActiveDirectory.findGroupMembershipNames(MicrosoftActiveDirectory.java:387)
	at com.atlassian.crowd.directory.RFC4519Directory.searchGroupRelationshipsWithGroupTypeSpecified(RFC4519Directory.java:476)
	at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroupRelationships(SpringLDAPConnector.java:1579)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.updateGroupsMembershipOnLogin(DbCachingRemoteDirectory.java:364)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticateAndUpdateInternalUser(DbCachingRemoteDirectory.java:300)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.performAuthenticationAndUpdateAttributes(DbCachingRemoteDirectory.java:206)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticate(DbCachingRemoteDirectory.java:184)
	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:305)

 

Cause

The problem occurred because the LDAP account configured in Hipchat Server does not have the sufficient rights to access all groups e.g. one of the groups that the user is a member of is unable to be read by the LDAP account used by Hipchat Server.

This is a bug in Crowd which we tracked here:  CWD-4206 - Getting issue details... STATUS . Hipchat Server utilizes Crowd service to handle directory integration and directory users authentications. 

Diagnosis

You can find the culprit group/user by running Get-ADGroup and Get-ADGroupMember with the recursive flag enabled to get an error with the group/user.

Workarounds

Admin can either:

  • Allow the LDAP account used by Hipchat Server read access to the problematic group
  • Remove the user from this group
  • Uncheck "Use the User Membership Attribute"  option under Membership Schema Settings in the directory configuration. This will effectively prevent the use of memberOf attribute to look for the user's group memberships (using member attribute from the group's side instead)

Resolution

As  CWD-4206 - Getting issue details... STATUS  has already been fixed on Crowd version 2.9.1, please ensure that you keep your Hipchat server up to date to ensure that you are no longer affected by the bug. 

 

Last modified on Jan 19, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.