LDAP Groups are not being populated with users using FreeIPA
症状
Bitbucket Server fails to populate groups with users when hooked to a FreeIPA LDAP server through a User Directory using the FedoraDS connector.
The following message is logged in <BITBUCKET_HOME>/log/atlassian-bitbucket.log:
Main message here:
2014-12-11 15:14:42,957 WARN [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteChangeOperations Could not add the following missing users to group [ support ]: [uid=daniel.rohan,cn=users,cn=accounts,dc=bitbucket-internal,dc=local]Full sync log:
2014-12-11 15:14:42,291 DEBUG [clusterScheduler_Worker-5] c.a.s.i.crowd.HibernateDirectoryDao Updating object: com.atlassian.crowd.model.directory.DirectoryImpl@63f47965[lowerName=ldap,description=<null>,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.FedoraDS,allowedOperations=[CREATE_GROUP, UPDATE_GROUP, UPDATE_GROUP_ATTRIBUTE, DELETE_GROUP, UPDATE_USER_ATTRIBUTE],attributes={directory.cache.synchronise.interval=3600, ldap.read.timeout=300000, ldap.user.displayname=cn, ldap.usermembership.use=false, ldap.search.timelimit=60000, ldap.user.objectclass=posixAccount, ldap.group.objectclass=groupofnames, ldap.user.firstname=givenName, ldap.pagedresults=false, ldap.group.description=description, ldap.pool.timeout=0, crowd.sync.incremental.enabled=true, ldap.group.usernames=member, ldap.user.group=memberOf, ldap.user.filter=(objectclass=posixAccount), ldap.user.username.rdn=cn, ldap.secure=false, ldap.relaxed.dn.standardisation=true, ldap.password=********, ldap.user.encryption=sha, com.atlassian.crowd.directory.sync.lastdurationms=5207, ldap.group.filter=(objectclass=posixGroup), com.atlassian.crowd.directory.sync.laststartsynctime=1418332421895, ldap.nestedgroups.disabled=true, ldap.user.username=uid, ldap.group.dn=cn=groups, ldap.user.email=mail, autoAddGroups=, ldap.basedn=cn=accounts,dc=bitbucket,dc=local, ldap.propogate.changes=false, localUserStatusEnabled=false, ldap.roles.disabled=true, com.atlassian.crowd.directory.sync.currentstartsynctime=1418332482291, ldap.connection.timeout=10000, ldap.url=ldap://bitbucket-internal.local:389, ldap.external.id=ipaUniqueID, ldap.usermembership.use.for.groups=false, ldap.referral=false, ldap.userdn=uid=bitbucket,cn=users,cn=accounts,dc=bitbucket,dc=local, ldap.user.lastname=sn, ldap.pagedresults.size=1000, ldap.group.name=cn, ldap.local.groups=true, ldap.user.dn=cn=users, com.atlassian.crowd.directory.sync.issynchronising=true, ldap.user.password=userPassword}]
2014-12-11 15:14:42,309 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteDirectory INCREMENTAL synchronisation for directory [ 32770 ] starting
2014-12-11 15:14:42,310 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteDirectory Attempting INCREMENTAL synchronisation for directory [ 32770 ]
2014-12-11 15:14:42,310 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteDirectory Incremental synchronisation for directory [ 32770 ] was not completed, falling back to a full synchronisation
2014-12-11 15:14:42,310 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteDirectory INCREMENTAL synchronisation for directory [ 32770 ] was not successful, attempting FULL
2014-12-11 15:14:42,349 INFO [clusterScheduler_Worker-5] c.a.c.d.l.c.RemoteDirectoryCacheRefresher found [ 114 ] remote users in [ 38 ms ]
2014-12-11 15:14:42,541 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteChangeOperations scanned and compared [ 114 ] users for delete in DB cache in [ 191ms ]
2014-12-11 15:14:42,541 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteChangeOperations scanned for deleted users in [ 191ms ]
2014-12-11 15:14:42,663 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteChangeOperations scanning [ 114 ] users to add or update
2014-12-11 15:14:42,672 INFO [clusterScheduler_Worker-5] c.a.c.d.DirectoryCacheImplUsingChangeOperations scanned and compared [ 114 ] users for update in DB cache in [ 119ms ]
2014-12-11 15:14:42,675 INFO [clusterScheduler_Worker-5] c.a.c.d.DirectoryCacheImplUsingChangeOperations synchronised [ 114 ] users in [ 122ms ]
2014-12-11 15:14:42,684 INFO [clusterScheduler_Worker-5] c.a.c.d.l.c.RemoteDirectoryCacheRefresher found [ 23 ] remote groups in [ 9 ms ]
2014-12-11 15:14:42,684 INFO [clusterScheduler_Worker-5] c.a.c.d.DirectoryCacheImplUsingChangeOperations scanning [ 23 ] groups to add or update
2014-12-11 15:14:42,693 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteChangeOperations scanned and compared [ 23 ] groups for update in DB cache in [ 8ms ]
2014-12-11 15:14:42,701 INFO [clusterScheduler_Worker-5] c.a.c.d.DirectoryCacheImplUsingChangeOperations synchronized [ 23 ] groups in [ 17ms ]
2014-12-11 15:14:42,714 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteChangeOperations scanned and compared [ 23 ] groups for delete in DB cache in [ 13ms ]
2014-12-11 15:14:42,890 WARN [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteChangeOperations Could not add the following missing users to group [ admins ]: [uid=admin,cn=users,cn=accounts,dc=bitbucket,dc=local]
原因
LDAP support falls into two flavours of directory schema. There's the RFC-2307 style, and the RFC-4519 style. The FedoraDS connector uses RFC-2307.
FreeIPA implements a RFC-4519 schema similar to OpenLDAP or Active Directory.
The basic issue is that the Directory Server is one that the FedoraDS driver cannot understand.
ソリューション
The "fix" is to remove the connector, and re-create it with the type "Generic Directory Server" instead of "FedoraDS".
Bear in mind that we do not officially support for FreeIPA, so there's no "FreeIPA" choice in the drop-down: CWD-4134 - Getting issue details... STATUS
- List of supported LDAP servers:
This is why you must choose "Generic Directory Server" instead.
最終更新日: 2016 年 2 月 26 日
Powered by Confluence and Scroll Viewport.