Bitbucket Server not retrieving users from Active Directory

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。

問題

Even though the Active Directory server is reachable from Bitbucket Server and the user, group, and membership attributes are configured correctly, no users are synced.

There are no error messages in the logs, but debug logging shows that zero users have been synced:

2018-05-10 16:38:39,135 DEBUG [CrowdUsnChangedCacheRefresher:thread-1] c.a.c.directory.SpringLDAPConnector Performing user search: baseDN = DC=example,DC=com - filter = (&(&(objectclass=user)(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(|(accountExpires=0)(accountExpires>=131704436715550000))) in directory 7634945
...
2018-05-10 16:38:39,140 DEBUG [CrowdUsnChangedCacheRefresher:thread-2] c.a.c.d.l.SpringLdapTemplateWrapper Timed call for search with handler on baseDN: CN=stash-users,OU=Groups,DC=example,DC=com, filter: (&(objectCategory=Group)(|(cn=jira-test)(cn=confluence-test)(cn=stash-test)(cn=jira-users))) took 4ms
...
2018-05-10 16:38:40,800 DEBUG [Caesium-1-4]  c.a.s.i.crowd.HibernateDirectoryDao Updating object: com.atlassian.crowd.model.directory.DirectoryImpl@3c96ef05[lowerName=test_ldap,description=<null>,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.MicrosoftActiveDirectory,allowedOperations=[CREATE_GROUP, UPDATE_GROUP_ATTRIBUTE, DELETE_GROUP, UPDATE_GROUP, UPDATE_USER_ATTRIBUTE],attributes={ldap.basedn=DC=example,DC=com, ldap.user.filter=(&(objectclass=user)(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))), ldap.user.username=sAMAccountName, ldap.usermembership.use=false, com.atlassian.crowd.directory.sync.lastdurationms=84, ldap.group.usernames=member, ldap.pagedresults.size=1000, ldap.read.timeout=120000, ldap.connection.timeout=10000, ldap.group.filter=(&(objectCategory=Group)(|(cn=jira-test)(cn=confluence-test)(cn=stash-test)(cn=jira-users))), ldap.userdn=CN=AD Reader,OU=Service Accounts,OU=HQ,OU=Administration,DC=example,DC=com, ldap.roles.disabled=true, ldap.external.id=objectGUID, ldap.url=ldap://example.com:3268, ldap.pagedresults=true, ldap.user.password=unicodePwd, ldap.user.lastname=sn, ldap.group.name=cn, ldap.referral=true, com.atlassian.crowd.directory.sync.issynchronising=true, ldap.group.dn=CN=stash-users,OU=Groups, ldap.relaxed.dn.standardisation=true, ldap.user.firstname=givenName, com.atlassian.crowd.directory.sync.currentstartsynctime=1525805807800, ldap.password=********, autoAddGroups=, crowd.sync.incremental.enabled=false, crowd.sync.group.membership.after.successful.user.auth.enabled=true, ldap.usermembership.use.for.groups=false, ldap.user.objectclass=user, directory.cache.synchronise.interval=3600, ldap.nestedgroups.disabled=false, ldap.secure=false, ldap.user.username.rdn=cn, ldap.propogate.changes=false, ldap.pool.timeout=0, ldap.user.displayname=displayName, com.atlassian.crowd.directory.sync.laststartsynctime=1525805265781, ldap.user.email=mail, ldap.user.group=memberOf, localUserStatusEnabled=true, ldap.user.encryption=sha, ldap.local.groups=true, ldap.group.description=description, ldap.user.dn=, ldap.group.objectclass=group, ldap.filter.expiredUsers=true, ldap.search.timelimit=60000}]
2018-05-08 18:56:47,811 INFO  [Caesium-1-4]  c.a.c.d.DbCachingRemoteDirectory FULL synchronisation for directory [ 7634945 ] starting
2018-05-08 18:56:47,817 INFO  [CrowdUsnChangedCacheRefresher:thread-1]  c.a.c.d.l.c.UsnChangedCacheRefresher found [ 0 ] remote users in [ 5ms ]
2018-05-08 18:56:47,818 INFO  [CrowdUsnChangedCacheRefresher:thread-2]  c.a.c.d.l.c.UsnChangedCacheRefresher found [ 1 ] remote groups in [ 6ms ]
2018-05-08 18:56:47,819 INFO  [Caesium-1-4]  c.a.c.d.DbCachingRemoteChangeOperations scanned and compared [ 0 ] users for delete in DB cache in [ 2ms ]
2018-05-08 18:56:47,819 INFO  [Caesium-1-4]  c.a.c.d.DbCachingRemoteChangeOperations scanned for deleted users in [ 2ms ]
2018-05-08 18:56:47,821 INFO  [Caesium-1-4]  c.a.c.d.DbCachingRemoteChangeOperations scanning [ 0 ] users to add or update
2018-05-08 18:56:47,821 INFO  [Caesium-1-4]  c.a.c.d.DirectoryCacheImplUsingChangeOperations scanned and compared [ 0 ] users for update in DB cache in [ 1ms ]
2018-05-08 18:56:47,821 INFO  [Caesium-1-4]  c.a.c.d.DirectoryCacheImplUsingChangeOperations synchronised [ 0 ] users in [ 1ms ]
2018-05-08 18:56:47,824 INFO  [Caesium-1-4]  c.a.c.d.DbCachingRemoteChangeOperations scanned and compared [ 1 ] groups for delete in DB cache in [ 3ms ]
2018-05-08 18:56:47,825 INFO  [Caesium-1-4]  c.a.c.d.DirectoryCacheImplUsingChangeOperations scanning [ 1 ] groups to add or update
2018-05-08 18:56:47,826 INFO  [Caesium-1-4]  c.a.c.d.DbCachingRemoteChangeOperations scanned and compared [ 1 ] groups for update in DB cache in [ 1ms ]
2018-05-08 18:56:47,827 INFO  [Caesium-1-4]  c.a.c.d.DirectoryCacheImplUsingChangeOperations synchronized [ 1 ] groups in [ 2ms ]
2018-05-08 18:56:47,827 INFO  [Caesium-1-4]  c.a.c.d.RFC4519DirectoryMembershipsIterable Searching for children of 1 groups
2018-05-08 18:56:47,838 INFO  [Caesium-1-4]  c.a.c.d.RFC4519DirectoryMembershipsIterable Found 1 children for 1 groups in 11 ms
2018-05-08 18:56:47,839 INFO  [Caesium-1-4]  c.a.c.d.RFC4519DirectoryMembershipsIterable Fetching details for 314 entities for membership resolution
2018-05-08 18:56:47,889 INFO  [Caesium-1-4]  c.a.c.d.DbCachingRemoteDirectory FULL synchronisation complete for directory [ 7634945 ] in [ 78ms ]

診断

環境

  • This issue was replicated in Bitbucket Server 5.8.1, which uses version 2.12.0 of the embedded Crowd library.

診断ステップ

  • The exact same LDAP configuration works in Stash 3.11.2, which has Crowd 2.8.4-m1 libraries embedded

原因

Even though the accountExpires attribute was not added in the user filter, in Crowd 2.12.0 a check for accountExpires was added and from that version onwards Crowd (and thus embedded Crowd) is filtering out users that are expired.

From the AD directory configuration shown in the log excerpt above we can see that the instance connects to a Global Catalog (as it is connecting to port number 3268) rather than to a regular LDAP service (which uses port 389 by default) and the accountExpires attribute is unfortunately not replicated to a Global Catalog in Active Directory. This was reported as a bug in Crowd, and was fixed in Crowd versions 3.0.2 and 3.1.1.

The latest version of Bitbucket Server (currently 6.0) does come bundled Crowd 3.3, where the bug is fixed. Older versions of Bitbucket Server do not bundle these newer Crowd library versions.

回避策

If using embedded Crowd version 2.12.0:

  • Disable the Filter out expired users setting in the AD directory configured in Bitbucket Server
    OR
  • Connect to port 389, instead of to 3268

If using embedded Crowd versions older than 2.12.0:

  • This issue only impacts Incremental sync, so disabling incremental sync is a possible workaround for those versions.

ソリューション

Upgrade to Bitbucket Server version 6.0 – which comes bundled with Crowd 3.3.0 where this bug is fixed


最終更新日: 2019 年 2 月 13 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.