Lexical error during directory synchronization
症状
During the synchronization with an LDAP directory, the following appears in the atlassian-confluence.log:
2011-12-15 11:54:52,422 ERROR [QuartzScheduler_Worker-8] [directory.ldap.mapper.GroupContextMapper] mapFromContext Failed to map attribute <memberDNs> from context with DN <cn=Confluence,ou=groups,dc=example,dc=com>
org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "_" (95), after : ""
Caused by: org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "_" (95), after : ""
at org.springframework.ldap.core.DnParserImplTokenManager.getNextToken(DnParserImplTokenManager.java:690)
at org.springframework.ldap.core.DnParserImpl.jj_consume_token(DnParserImpl.java:219)
at org.springframework.ldap.core.DnParserImpl.SpacedEquals(DnParserImpl.java:114)
at org.springframework.ldap.core.DnParserImpl.attributeTypeAndValue(DnParserImpl.java:94)
at org.springframework.ldap.core.DnParserImpl.rdn(DnParserImpl.java:58)
at org.springframework.ldap.core.DnParserImpl.dn(DnParserImpl.java:23)
at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:184)
at org.springframework.ldap.core.DistinguishedName.<init>(DistinguishedName.java:140)
at com.atlassian.crowd.directory.ldap.util.DNStandardiser.standardise(DNStandardiser.java:72)
at com.atlassian.crowd.directory.ldap.mapper.attribute.group.RFC4519MemberDnMapper.getValues(RFC4519MemberDnMapper.java:43)
at com.atlassian.crowd.directory.ldap.mapper.GroupContextMapper.mapFromContext(GroupContextMapper.java:60)
at org.springframework.ldap.core.ContextMapperCallbackHandler.getObjectFromNameClassPair(ContextMapperCallbackHandler.java:67)
at org.springframework.ldap.core.CollectingNameClassPairCallbackHandler.handleNameClassPair(CollectingNameClassPairCallbackHandler.java:50)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:297)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:237)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:624)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:535)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntitiesWithRequestControls(SpringLDAPConnector.java:379)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntities(SpringLDAPConnector.java:351)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroupObjectsOfSpecifiedGroupType(SpringLDAPConnector.java:1045)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroupObjects(SpringLDAPConnector.java:1093)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroups(SpringLDAPConnector.java:1102)
at com.atlassian.crowd.directory.ldap.cache.RemoteDirectoryCacheRefresher.findAllRemoteGroups(RemoteDirectoryCacheRefresher.java:50)
at com.atlassian.crowd.directory.ldap.cache.RemoteDirectoryCacheRefresher.synchroniseAllGroups(RemoteDirectoryCacheRefresher.java:74)
at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:42)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:619)
at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:63)
at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:50)
at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJobBean.executeInternal(DirectoryPollerJobBean.java:29)
at org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
at org.quartz.core.JobRunShell.run(JobRunShell.java:199)
at com.atlassian.confluence.schedule.quartz.ConfluenceQuartzThreadPool$1.run(ConfluenceQuartzThreadPool.java:14)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:549)原因
The LDAP group mentioned in the stack trace has some invalid entries. See in this example:
dn: cn=Confluence,ou=groups,dc=example,dc=com
owner: confluence-wiki
objectClass: groupOfUniqueNames
objectClass: top
cn: Confluence
uniqueMember: test_user1
uniqueMember: test_user2
In this case, the uniqueMember attributes doesn't have a valid DN, it should inform something like uid=test_user1,ou=users,dc=example,dc=com.
ソリューション
There are two possible solutions to this issue:
- Write a more restrictive group search filter to exclude the problematic group from the synchronization result. See this documentation for more details.
- Fix the invalid entries directly on your LDAP and trigger the synchronization again.
See this documentation for more details about special characters in Crowd.
Last modified on Mar 30, 2016
Powered by Confluence and Scroll Viewport.