Group members don’t get synchronized from Microsoft Active Directory in Bitbucket Server
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
要約
Group members don’t get synchronised from Microsoft Active Directory after full synchronisation in Bitbucket Server / Data Center. Individual users and groups appear in Bitbucket after full sync but members don’t get populated inside the groups.
環境
Bitbucket Data Center 8.4.1 with user directory - Microsoft AD
This KB may be applicable for supported Bitbucket Data Center releases.
診断
- Verify if there are any user directory synchronisation failures from the atlassian-bitbucket.log.
Enable debug logging for Crowd loggers for detailed logging during user directory synchronisation.
curl -u <admin_user> -v -X PUT -d "" -H "Content-Type: application/json" <bitbucket-base-url>/rest/api/latest/logs/logger/com.atlassian.crowd/debug curl -u <admin_user> -v -X PUT -d "" -H "Content-Type: application/json" <bitbucket-base-url>/rest/api/latest/logs/logger/com.atlassian.crowd.directory.SpringLDAPConnector/debug
Replace <admin-user> with a Bitbucket username that has admin privilege. Replace <bitbucket-base-url> with your Bitbucket Base URL.From the Bitbucket server log (atlassian-bitbucket.log), we see Bitbucket found 0 remote user-group memberships and 0 remote group-group memberships. Bitbucket syncs 0 user members for group AA_BB_CXYZ
2022-11-25 07:15:46,830 DEBUG [Caesium-1-2] c.a.c.d.s.c.AbstractCacheRefresher found [ 0 ] remote user-group memberships, [ 0 ] remote group-group memberships in [ 0ms ] 2022-11-25 07:15:46,832 DEBUG [Caesium-1-2] c.a.c.d.DbCachingRemoteChangeOperations synchronising [ 0 ] user members for group [ AA_BB_CXYZ ] 2022-11-25 07:15:46,832 DEBUG [Caesium-1-2] c.a.c.d.DbCachingRemoteChangeOperations internal directory has [ 0 ] members 2022-11-25 07:15:46,832 DEBUG [Caesium-1-2] c.a.c.d.DbCachingRemoteChangeOperations scanned and compared [ 0 ] user members from [ AA_BB_CXYZ ] in [ 0ms ] 2022-11-25 07:15:46,833 DEBUG [Caesium-1-2] c.a.c.d.DirectoryCacheImplUsingChangeOperations removing [ 0 ] users from group [ AA_BB_CXYZ ] 2022-11-25 07:15:46,833 DEBUG [Caesium-1-2] c.a.c.d.DirectoryCacheImplUsingChangeOperations adding [ 0 ] users to group [ AA_BB_CXYZ ] 2022-11-25 07:15:46,833 DEBUG [Caesium-1-2] c.a.c.d.DirectoryCacheImplUsingChangeOperations synchronised [ 0 ] user members for group [ AA_BB_CXYZ ] in [ 1ms ]- Verify if the group(s) have users in the Microsoft AD directory.
Verify the user/group filter in the Bitbucket user directory configuration by navigating to Bitbucket Administration >> User directories (under Accounts) >> Click Edit to review the user directory configuration.
User filter:(memberOf=CN=AA_BB_*,OU=Users,DC=<DCname>,DC=<organisation name>,DC=<.com>)
原因
The presence of the wild card character "*" in the user filter for the Distinguished Name (DN) attribute value has caused the issue. With reference to Microsoft AD documentation for LDAP Syntax Filters,
LDAP filter specification assigns special meaning to the following 5 characters: * ( ) \ NUL
In LDAP filters these 5 characters should be escaped with the backslash escape character, followed by the two character ASCII hexadecimal representation of the character. The following table documents this:
Character Hex Representation * \2A ( \28 ) \29 \ \5C NUL \00
ソリューション
Replace "*" in the user filter with Hex representation value \2A
For example, if user filter is:
(memberOf=CN=AA_BB_*,OU=Users,DC=<DCname>,DC=<organisation name>,DC=<.com>)After replacing "*", the filter would look like:
(memberOf=CN=AA_BB_\2A,OU=Users,DC=<DCname>,DC=<organisation name>,DC=<.com>)