問題

Clients who use AWS with Crowd may wish to setup a second Failover Directory so that their users can login to their Atlassian products. If they follow the procedure to copy a directory as per the article Configuring a delegated authentication directory, specifically the following:

次のステップ

After configuring your new directory:

1. Map the directory to the appropriate applications.
2. Consider how you would like to add your users to Crowd's Delegated Authentication directory. There are a few options:
   • Manually add the users to the Crowd directory.
   • Use Crowd's Directory importer to copy your LDAP users into your Delegated Authentication directory.
   • Let Crowd do it for you, at login time by enabling the Synchronize User Detailsoption when you configure the directory.

The directory copy will appear to fail

The following message will appear in the Crowd Administrators User Interface:

Your request could not be processed because a required security token was not present in the request. You may need to re-submit the form or reload the page. ou may need to re-submit the form or reload the page.

診断

環境

• If your Crowd instance is inside of AWS and is using an Amazon Load Balancer (ALB) for the application, then you are effected by the ALB settings.
• Check to see what the timeout is set to inside of AWS for your ALB

原因

The maximum amount of time that the ALB will allow for an HTTP/HTTPS request is 4000 seconds. This is hardcoded in the ALB and can not be altered. That is the set maximum value allowed.

回避策

The directory copy will actually complete, but it will take time to do so. The only workaround inside of AWS if you wish to use the Directory Copy method above is to add debug logging for Crowd in the instance in the Crowd application's Administrator's UI. 

1. Login to Crowd as an Administrator
2. Navigate to the Logging and Profiling section as shown:

Next, set the packages com.atlassian.crowd  and the root logger to DEBUG and click the Update logging button:

The system will show the progression of the Directory Copy in the logs, as this will continue in background, but the Administrator's UI will present the message that was previously noted. 

 The directory copy will succeed, but the Admin UI will not show the completion due to the ALB timeout of 4000 seconds, which is a little over one hour and six minutes.

代替の解決策

You can setup a second directory without using the Directory Copy feature. This will prevent the issue from occurring.