Incremental LDAP synchronisation causing user deletion
Users are missing from the application sometime after a manual synchronisation.
Enable additional logging with the instructions in Log more LDAP query details.
However, instead of logging on com.atlassian.crowd.directory.SpringLDAPConnector, log on com.atlassian.crowd to get as much information as possible. Once this is enabled please wait to for the users to be removed. There should now be an entry in the daily logs similar to:
2016-05-18 08:54:07,921 INFO [clusterScheduler_Worker-3] c.a.c.d.DbCachingRemoteDirectory INCREMENTAL synchronisation for directory [ 229377 ] starting 2016-05-18 08:54:07,935 DEBUG [clusterScheduler_Worker-3] c.a.c.d.MicrosoftActiveDirectory Performing polling search: baseDN = DC=com - filter = (&(&(objectCategory=Person)(sAMAccountName=*)(memberOf=CN=Users,OU=Groups)(uSNChanged>=678449785))2016-05-18 08:54:07,939 INFO [clusterScheduler_Worker-3] c.a.c.d.l.c.UsnChangedCacheRefresher scanned and compared [ 397 ] users to delete, [ 0 ] users to add, [ 0 ] users to update in DB cache in [ 14ms ]
Cause #1: Connector is binding to AD using unprivileged credentials during incremental synchronizations.
Cause #2: The LDAP server has a hard limit on the number of results returned and Paged Results is not enabled on Bitbucket Server for the directory. For example, in the below logs from
atlassian-bitbucket.log the LDAP server is only returning the first 15,000 users:
2016-10-05 10:17:20,400 INFO [Caesium-1-2] c.a.c.d.l.SpringLdapTemplateWrapper Timed call for search with dircontext on ou=People,ou=Corporate,o=abc took 14560ms 2016-10-05 10:17:20,401 INFO [Caesium-1-2] c.a.c.d.l.c.RemoteDirectoryCacheRefresher found [ 15000 ] remote users in [ 14562 ms ] ... 2016-10-05 10:17:25,718 DEBUG [Caesium-1-2] c.a.c.d.DbCachingRemoteChangeOperations user [ username ] not found, deleting
Cause #3: "Changing the Port to the global catalog (3268)" The Global Catalog doesn't store the accountExpires attribute by default so no users match the filter used by JIRA if we filter out expired users. Jira will Sync on a Full Sync then Immediately be deleted on the next incremental synchronization
- We can confirm that trying to generate an LDIF for a user taken from the usual port (389) and another LDIF using the Global Catalog port (3268) and compare the attributes list we get on each of them. If we confirm that attribute is not stored in your Global Catalog this is the case
For Cause #1:
- Disable incremental synchronization.
- Switch to using a new Delegated LDAP user directory with the same settings.
For Cause #2:
Adjust the LDAP server so that the number of results returned from a search is more than the user filter that is setup.
For Cause #3:
- Edit the current User Directory configuration to not use the Incremental Synchronization.
- This can be done at the "Advanced Settings" section of the User Directory configuration unchecking the "Enable Incremental Synchronisation" option.
- Disable "Filter out expired users"
- Add the "accountExpires" attribute to your Global Catalog in your AD server. Please note this would be done by your AD server admin, details can be found here:
For Cause #1: Ensure that this is an administrator user for the LDAP engine.
For Cause #2: Enable the Use Paged Results option under Advanced Settings for the user directory. This will page the results instead of trying to load all entries at once.