LDAP User Unable to Login to Hipchat Server due to Membership in Restricted Group
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
This version of Hipchat Server is no longer supported
This article applies to a version of Hipchat Server which is beyond the Atlassian End of Life policy, and is no longer supported.
You should upgrade to a more recent version of Hipchat Server as soon as you can to take advantage of new features, and security and bug fixes. If possible, you should also consider deploying Hipchat Data Center instead.
問題
LDAP users were not able to login.
The following appears in the /var/log/hipchat/atlassian-crowd.log
2016-02-13 04:28:35,648 http-bio-8095-exec-3 ERROR [common.error.jersey.ThrowableExceptionMapper] Uncaught exception thrown by REST service: at index 18
java.lang.NullPointerException: at index 18
at com.google.common.collect.ImmutableList.checkElementNotNull(ImmutableList.java:305)
at com.google.common.collect.ImmutableList.construct(ImmutableList.java:296)
at com.google.common.collect.ImmutableList.copyFromCollection(ImmutableList.java:289)
at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:247)
at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:217)
at com.atlassian.crowd.directory.MicrosoftActiveDirectory.findGroupMembershipNames(MicrosoftActiveDirectory.java:387)
at com.atlassian.crowd.directory.RFC4519Directory.searchGroupRelationshipsWithGroupTypeSpecified(RFC4519Directory.java:476)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroupRelationships(SpringLDAPConnector.java:1579)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.updateGroupsMembershipOnLogin(DbCachingRemoteDirectory.java:364)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticateAndUpdateInternalUser(DbCachingRemoteDirectory.java:300)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.performAuthenticationAndUpdateAttributes(DbCachingRemoteDirectory.java:206)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticate(DbCachingRemoteDirectory.java:184)
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:305)
原因
The problem occurred because the LDAP account configured in Hipchat Server does not have the sufficient rights to access all groups e.g. one of the groups that the user is a member of is unable to be read by the LDAP account used by Hipchat Server.
This is a bug in Crowd which we tracked here: CWD-4206 - Getting issue details... STATUS . Hipchat Server utilizes Crowd service to handle directory integration and directory users authentications.
診断
You can find the culprit group/user by running Get-ADGroup and Get-ADGroupMember with the recursive flag enabled to get an error with the group/user.
回避策
Admin can either:
- Allow the LDAP account used by Hipchat Server read access to the problematic group
- Remove the user from this group
Uncheck "Use the User Membership Attribute" option under Membership Schema Settings in the directory configuration. This will effectively prevent the use of memberOf attribute to look for the user's group memberships (using member attribute from the group's side instead)
ソリューション
As CWD-4206 - Getting issue details... STATUS has already been fixed on Crowd version 2.9.1, please ensure that you keep your Hipchat server up to date to ensure that you are no longer affected by the bug.