Directory Synchronization Failure Due to Default Group Caused Duplicate Entry
プラットフォームについて: Cloud および Data Center - この記事はクラウドと Data Center 両方のプラットフォームに等しく適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
症状
If Confluence is using CONNECTOR method to integrate with LDAP, and the configured Base DN is on the upper root of its LDAP Server tree, it's very likely that Confluence may found duplicate groups during the synchronisation. These groups are normally the default groups comes with the LDAP server (e.g. Microsoft Active Directory). The following appears in the atlassian-confluence/jira.log:
2012-01-16 17:39:44,085 ERROR [scheduler_Worker-6] [atlassian.crowd.directory.DbCachingDirectoryPoller] pollChanges Error occurred while refreshing the cache for directory [ 13528946 ].
java.lang.IllegalArgumentException: duplicate key: Domain Controllers
at com.google.common.base.Preconditions.checkArgument(Preconditions.java:115)
at com.google.common.collect.RegularImmutableMap.<init>(RegularImmutableMap.java:72)
at com.google.common.collect.ImmutableMap$Builder.fromEntryList(ImmutableMap.java:221)
at com.google.common.collect.ImmutableMap$Builder.build(ImmutableMap.java:207)
at com.google.common.collect.Maps.uniqueIndex(Maps.java:571)
at com.google.common.collect.Maps.uniqueIndex(Maps.java:527)
at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseMemberships(AbstractCacheRefresher.java:126)
at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:44)
at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:223)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:619)
at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:63)
at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:50)
at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJobBean.executeInternal(DirectoryPollerJobBean.java:29)
at org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
at org.quartz.core.JobRunShell.run(JobRunShell.java:199)
at com.atlassian.confluence.schedule.quartz.ConfluenceQuartzThreadPool$1.run(ConfluenceQuartzThreadPool.java:20)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:549)The above stack trace describes that there are a duplicate groups called "Domain Controllers" which exists on every tree in the LDAP server.
原因
Confluence LDAP integration doesn't allow duplicate groups or user within the same User Directory.
ソリューション
- If possible, refine the Base DN and narrow it down to a more specific tree that only requires access to Confluence.
Create a search filter to exclude those duplicate groups which can be added to your Group Object Filter. For example:
(&(objectCategory=Group)(!(cn=Domain Controllers)))
More details on writing LDAP search filters can be found at How to write LDAP search filters. There might be multiple groups that needs to be excluded, hence the first resolution is more recommended.- Improvement request has been filed to merge the membership of the duplicate group rather than stopping the synchronization: CONFSERVER-23213 - Merge memberships for groups with duplicate names during LDAP directory sync.