Unable to Deactivate User That Belongs to an Active Directory (AD) User Directory With NULL Errors

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。

問題

While trying to deactivate a user that belongs to an AD user directory, the NULL error appears and user is unable to be deactivated:

The following appears in the atlassian-crowd.log.log

2016-03-03 13:57:17,889 http-bio-8095-exec-4078 ERROR [console.action.principal.UpdatePrincipal] null
java.lang.NumberFormatException: null
	at java.lang.Long.parseLong(Long.java:552)
	at java.lang.Long.parseLong(Long.java:631)
	at com.atlassian.crowd.directory.ldap.mapper.attribute.UserAccountControlUtil.enabledUser(UserAccountControlUtil.java:25)
	at com.atlassian.crowd.directory.MicrosoftActiveDirectory.getUserModificationItems(MicrosoftActiveDirectory.java:927)
	at com.atlassian.crowd.directory.SpringLDAPConnector.updateUser(SpringLDAPConnector.java:1006)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.updateUser(DbCachingRemoteDirectory.java:538)
	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.updateUser(DirectoryManagerGeneric.java:365)

または

2016-03-03 13:58:24,248 http-bio-8095-exec-4039 ERROR [console.action.principal.UpdatePrincipal] User renaming is not supported for LDAP directories.
com.atlassian.crowd.exception.OperationNotSupportedException: User renaming is not supported for LDAP directories.
	at com.atlassian.crowd.directory.SpringLDAPConnector.renameUser(SpringLDAPConnector.java:742)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.renameUser(DbCachingRemoteDirectory.java:566)
	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.renameUser(DirectoryManagerGeneric.java:390)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)

原因

Crowd unable to read a certain user attribute from AD. This caused Crowd to pass the attribute value "NULL", and therefore, Crowd throws the NULL error. 

This issue arises when the AD user that Crowd is using to bind CROWD with AD has no permission to read this attribute. 

ソリューション

Ensure that the AD user used to bind the external directory belongs to the built-in Administrators group on AD side.

As per described in the documentation:

 

 

 

Ensure that this is an administrator user for the LDAP engine. For example, in Active Directory the user will need to be a member of the built-in Administrators group. The specific privileges for the LDAP user that is used to connect to LDAP are bind and read (user info, group info, group membership, update sequence number, deleted objects). The need for admin privileges is because a normal user can't access uSNChanged attribute and deleted objects container, causing incremental sync to fail silently.

 

最終更新日 2018 年 11 月 2 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.