Incremental LDAP synchronisation causing user deletion

Problem

 Users are missing from the application sometime after a manual synchronisation.

Diagnose

Enable additional logging with the instructions in Log more LDAP query details.

However, instead of logging on com.atlassian.crowd.directory.SpringLDAPConnector, log on com.atlassian.crowd to get as much information as possible. Once this is enabled please wait to for the users to be removed. There should now be an entry in the daily logs similar to: 

2016-05-18 08:54:07,921 INFO  [clusterScheduler_Worker-3]  c.a.c.d.DbCachingRemoteDirectory INCREMENTAL synchronisation for directory [ 229377 ] starting

2016-05-18 08:54:07,935 DEBUG [clusterScheduler_Worker-3]  c.a.c.d.MicrosoftActiveDirectory Performing polling search: baseDN = DC=com - filter = (&(&(objectCategory=Person)(sAMAccountName=*)(memberOf=CN=Users,OU=Groups)(uSNChanged>=678449785))2016-05-18 08:54:07,939 INFO  [clusterScheduler_Worker-3]  c.a.c.d.l.c.UsnChangedCacheRefresher scanned and compared [ 397 ] users to delete, [ 0 ] users to add, [ 0 ] users to update in DB cache in [ 14ms ]

Causes

Cause #1: Connector is binding to AD using unprivileged credentials during incremental synchronizations. 

CWD-3093 - Getting issue details... STATUS

Cause #2: The LDAP server has a hard limit on the number of results returned and Paged Results is not enabled on Bitbucket Server for the directory. For example, in the below logs from atlassian-bitbucket.log the LDAP server is only returning the first 15,000 users:

2016-10-05 10:17:20,400 INFO  [Caesium-1-2]  c.a.c.d.l.SpringLdapTemplateWrapper Timed call for search with dircontext on ou=People,ou=Corporate,o=abc took 14560ms
2016-10-05 10:17:20,401 INFO  [Caesium-1-2]  c.a.c.d.l.c.RemoteDirectoryCacheRefresher found [ 15000 ] remote users in [ 14562 ms ]
...
2016-10-05 10:17:25,718 DEBUG [Caesium-1-2]  c.a.c.d.DbCachingRemoteChangeOperations user [ username ] not found, deleting

 

Cause #3: "Changing the Port to the global catalog (3268)"  The Global Catalog doesn't store the accountExpires attribute by default so no users match the filter used by JIRA.  And will Sync on a Full Sync then Immediately be deleted on the next incremental synchronization

  •  We can confirm that trying to generate an LDIF for a user taken from the usual port (389) and another LDIF using the Global Catalog port (3268) and compare the attributes list we get on each of them.  If we confirm that attribute is not stored in your Global Catalog this is the case

Workarounds

For Cause #1:

  • Disable incremental synchronization.
    OR
  • Switch to using a new Delegated LDAP user directory with the same settings.

For Cause #2:

Adjust the LDAP server so that the number of results returned from a search is more than the user filter that is setup.

For Cause #3:

  1. Edit the current User Directory configuration to not use the Incremental Synchronization. 
    1. This can be done at the "Advanced Settings" section of the User Directory configuration unchecking the "Enable Incremental Synchronisation" option.
  2. Add the "accountExpires" attribute to your Global Catalog in your AD server. Please note this would be done by your AD server admin, details can be found here:
    1. http://www.dell.com/support/article/us/en/19/sln285512/windows-server--how-to-add-attributes-to-the-global-catalog-partial-attribute-set?lang=en

Resolution

For Cause #1: Ensure that this is an administrator user for the LDAP engine.

For Cause #2: Enable the Use Paged Results option under Advanced Settings for the user directory. This will page the results instead of trying to load all entries at once.

   

 

Last modified on Nov 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.