Unable to Deactivate User That Belongs to an Active Directory (AD) User Directory With NULL Errors
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
問題
While trying to deactivate a user that belongs to an AD user directory, the NULL error appears and user is unable to be deactivated:
The following appears in the atlassian-crowd.log.log
2016-03-03 13:57:17,889 http-bio-8095-exec-4078 ERROR [console.action.principal.UpdatePrincipal] null
java.lang.NumberFormatException: null
at java.lang.Long.parseLong(Long.java:552)
at java.lang.Long.parseLong(Long.java:631)
at com.atlassian.crowd.directory.ldap.mapper.attribute.UserAccountControlUtil.enabledUser(UserAccountControlUtil.java:25)
at com.atlassian.crowd.directory.MicrosoftActiveDirectory.getUserModificationItems(MicrosoftActiveDirectory.java:927)
at com.atlassian.crowd.directory.SpringLDAPConnector.updateUser(SpringLDAPConnector.java:1006)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.updateUser(DbCachingRemoteDirectory.java:538)
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.updateUser(DirectoryManagerGeneric.java:365)または
2016-03-03 13:58:24,248 http-bio-8095-exec-4039 ERROR [console.action.principal.UpdatePrincipal] User renaming is not supported for LDAP directories.
com.atlassian.crowd.exception.OperationNotSupportedException: User renaming is not supported for LDAP directories.
at com.atlassian.crowd.directory.SpringLDAPConnector.renameUser(SpringLDAPConnector.java:742)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.renameUser(DbCachingRemoteDirectory.java:566)
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.renameUser(DirectoryManagerGeneric.java:390)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)原因
Crowd unable to read a certain user attribute from AD. This caused Crowd to pass the attribute value "NULL", and therefore, Crowd throws the NULL error.
This issue arises when the AD user that Crowd is using to bind CROWD with AD has no permission to read this attribute.
ソリューション
Ensure that the AD user used to bind the external directory belongs to the built-in Administrators group on AD side.
As per described in the documentation:
Ensure that this is an administrator user for the LDAP engine. For example, in Active Directory the user will need to be a member of the built-in Administrators group. The specific privileges for the LDAP user that is used to connect to LDAP are bind and read (user info, group info, group membership, update sequence number, deleted objects). The need for admin privileges is because a normal user can't access uSNChanged attribute and deleted objects container, causing incremental sync to fail silently.