症状

Searching for users in Crowd/JIRA/Confluence (with AD integrated) fails with the exception below:

Operation failed; nested exception is javax.naming.PartialResultException (root exception is javax.naming.communicationexception: mycompany.com:389(root exception is XXXXX: mycompany.com)

The root exception being represented by XXXXX, can be:

• javax.naming.PartialResultException
• java.net.UnknownHostException

原因

背景

1. Active Directory servers are integrated with DNS, and modify entries in the DNS server.
2. Active Directory servers have a referral to themselves in the root of their LDAP tree.
3. If the Crowd (or JIRA, or Confluence) server is pointed to the root of the LDAP tree, and "follow referrals" is turned on (which is the default), then:
4. Crowd will search for users
5. The AD server will respond with users and the referral that's in the root of the LDAP tree, because there could be more users over there
6. Crowd will follow the referral. This will result in:
   1. A DNS lookup of the base DN (dc=mycompany,dc=com means a lookup for mycompany.com)
   2. A connection to port 389 or 636 at mycompany.com, which is back to the same server
7. Crowd will continue and read the rest of the objects in the domain as normal.

If "java.net.UnknownHostException" is being reported

The root cause of the symptoms described would be:

Root exception is java.net.UnknownHostException: mycompany.com

This is step 6.1 failing - Crowd/JIRA/Confluence can't perform a DNS lookup on the referral in the AD server root.
Problems like this are most commonly caused by the server that Crowd running on not having the same DNS server as the Active Directory server.

To check if this is the case:

1. Turn off 'Follow Referrals' in the 'Connector' tab.
2. LDAP サーバーのルート DN に接続します。
3. ログにエラーが表示されない場合、これは DNS エラーです。

診断

Below are some diagnostic steps to check that your AD server is accessible from Confluence, please do not use as a permanent solution:

1. Changing LDAP port to global catalog port on 3268 instead of 389 (Global Catalogs does not tell the client to chase down referrals).

2. OR add the config below:

   <ip address>  activedirectory.yourcompany.com

   In either of the following:

• UNIX /etc/hosts
• WINDOWS \windows\system32\drivers\etc

ソリューション

DNS 構成の問題の修正

1. The issue lies in the AD DNS configuration, thus is beyond our support scope. We suggest you to involve your AD administrator to fix this by configuring the server that Crowd is running on to use the DNS server that the Active Directory server is integrated with.
2. If this is not possible, disable 'Follow Referrals'. See also  CWD-1096.

[照会に従う] を無効化するとどうなりますか?

• 1 つのドメインのみを保持している場合、設定変更による悪影響はありません。
• フォレストに複数のドメインが参加している場合、クロスドメイン メンバーシップが解決されなくなります。
  • If you must have cross-domain memberships and you can't fix the DNS issues, then you can point Crowd at your Global Catalog. This is read-only, but it does contain all users, groups, and memberships from across your Forest. Talk to your AD admin for Global Catalog connection details.