症状

1. New users and/or groups added to Active Directory (AD) do not show up in JIRA applications after a synchronisation.
2. Deleted users and/or groups from AD are not removed from JIRA applications after a synchronisation.

The following may appear in the atlassian-jira.log:

2012-12-27 18:41:13,339 http-bio-8080-exec-5 WARN localadmin 1121x1658x1 xlmwkq 172.16.8.130,192.168.72.4 /plugins/servlet/embedded-crowd/directories/troubleshoot/ [directory.ldap.mapper.UserContextMapper] Failed to map attribute <uSNChanged> from context with DN <cn=Aquaman,ou=Heroes,dc=avengers,dc=com>
java.lang.NullPointerException
	at com.atlassian.crowd.directory.ldap.mapper.attribute.USNChangedMapper.getValues(USNChangedMapper.java:28)
	at com.atlassian.crowd.directory.ldap.mapper.UserContextMapper.mapFromContext(UserContextMapper.java:57)
	at org.springframework.ldap.core.ContextMapperCallbackHandler.getObjectFromNameClassPair(ContextMapperCallbackHandler.java:67)
	at org.springframework.ldap.core.CollectingNameClassPairCallbackHandler.handleNameClassPair(CollectingNameClassPairCallbackHandler.java:50)
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:297)
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:237)

診断

 With the release of JIRA 6.1 which includes JRA-24937 - Getting issue details... STATUS : a user that has been synced to JIRA and then later removed from the LDAP server, will appear as inactive in JIRA still.

Either of the following can be used to verify if this is the problem. 

• Disable incremental synchronisation and then synchronise the User Directory - this will trigger a full synchronisation instead of incremental. If this adds/removes the users and/or groups from JIRA that were modified in Active Directory, it verifies this is the problem.
• Check to see if the user to be modified within JIRA applications has the uSNChanged attribute in Active Directory - if they do not have it this problem will be present for JIRA. The DN of that user can be found in the above logs - below is an LDIF Export of that user.

dn: cn=Aquaman,ou=Heroes,dc=avengers,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Aquaman
sn: other
givenName: Aquaman
initials: Aqua
distinguishedName: cn=Aquaman,ou=Heroes,OU=bbscratch,dc=avengers,dc=com
displayName: Aquaman
name: Aquaman
objectGUID:: vvpujBfH5kyXQuT3U2dTBw==
codePage: 0
countryCode: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAIrfv8Z/tmbiWzGjpVwcAAA==
sAMAccountName: other
sAMAccountType: 805306368
userPrincipalName: aquaman@avengers.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,dc=avengers,dc=com

 If the user has been deleted, please see Microsoft's How to search for deleted objects in Active Directory KB for information on how to find it. Additionally, as per our deleting a user documentation we do not recommend deleting users in JIRA applications.

原因

When a JIRA application connects to Active Directory it tries to do an incremental synchronisation by only pulling in the groups and users that have changed since the last time it did a synchronisation. To do this it needs access to two things:

1. Read access to the uSNChanged attribute on all the users and groups in the directory that need to be synchronised.
2. Read access to the objects and attributes in the Deleted Objects container.

JIRA will not correctly synchronise with AD if either of these conditions are not met. JIRA synchronises as per this Polling for Changes Using USNChanged MSDN article.

A bug has been raised for this under  CWD-2713 - Getting issue details... STATUS

回避策

Stop using incremental synchronisation, which will then synchronise the complete directory each time. This will be acceptable for small directories, however for large directories this is not recommended as it is a resource-intensive operation. This option can be set in the "Advanced Settings" section of your AD configuration in JIRA, as below:

ソリューション

Make sure the user JIRA application is using to synchronise in Active Directory has access to the following:

1. The uSNChanged attributes of all the groups and users that need to be synchronized against JIRA.
2. The Deleted Object container. For further information on accessing this, please see Microsoft's How to let non-administrators view the Active Directory deleted objects container in Windows Server 2003 and in Windows 2000 Server KB.