LDAP Groups are not being populated with users using FreeIPA
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Symptoms
Bitbucket Server fails to populate groups with users when hooked to a FreeIPA LDAP server through a User Directory using the FedoraDS connector.
The following message is logged in <BITBUCKET_HOME>/log/atlassian-bitbucket.log:
Main message here:
1
2014-12-11 15:14:42,957 WARN [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteChangeOperations Could not add the following missing users to group [ support ]: [uid=daniel.rohan,cn=users,cn=accounts,dc=bitbucket-internal,dc=local]Full sync log:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
2014-12-11 15:14:42,291 DEBUG [clusterScheduler_Worker-5] c.a.s.i.crowd.HibernateDirectoryDao Updating object: com.atlassian.crowd.model.directory.DirectoryImpl@63f47965[lowerName=ldap,description=<null>,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.FedoraDS,allowedOperations=[CREATE_GROUP, UPDATE_GROUP, UPDATE_GROUP_ATTRIBUTE, DELETE_GROUP, UPDATE_USER_ATTRIBUTE],attributes={directory.cache.synchronise.interval=3600, ldap.read.timeout=300000, ldap.user.displayname=cn, ldap.usermembership.use=false, ldap.search.timelimit=60000, ldap.user.objectclass=posixAccount, ldap.group.objectclass=groupofnames, ldap.user.firstname=givenName, ldap.pagedresults=false, ldap.group.description=description, ldap.pool.timeout=0, crowd.sync.incremental.enabled=true, ldap.group.usernames=member, ldap.user.group=memberOf, ldap.user.filter=(objectclass=posixAccount), ldap.user.username.rdn=cn, ldap.secure=false, ldap.relaxed.dn.standardisation=true, ldap.password=********, ldap.user.encryption=sha, com.atlassian.crowd.directory.sync.lastdurationms=5207, ldap.group.filter=(objectclass=posixGroup), com.atlassian.crowd.directory.sync.laststartsynctime=1418332421895, ldap.nestedgroups.disabled=true, ldap.user.username=uid, ldap.group.dn=cn=groups, ldap.user.email=mail, autoAddGroups=, ldap.basedn=cn=accounts,dc=bitbucket,dc=local, ldap.propogate.changes=false, localUserStatusEnabled=false, ldap.roles.disabled=true, com.atlassian.crowd.directory.sync.currentstartsynctime=1418332482291, ldap.connection.timeout=10000, ldap.url=ldap://bitbucket-internal.local:389, ldap.external.id=ipaUniqueID, ldap.usermembership.use.for.groups=false, ldap.referral=false, ldap.userdn=uid=bitbucket,cn=users,cn=accounts,dc=bitbucket,dc=local, ldap.user.lastname=sn, ldap.pagedresults.size=1000, ldap.group.name=cn, ldap.local.groups=true, ldap.user.dn=cn=users, com.atlassian.crowd.directory.sync.issynchronising=true, ldap.user.password=userPassword}]
2014-12-11 15:14:42,309 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteDirectory INCREMENTAL synchronisation for directory [ 32770 ] starting
2014-12-11 15:14:42,310 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteDirectory Attempting INCREMENTAL synchronisation for directory [ 32770 ]
2014-12-11 15:14:42,310 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteDirectory Incremental synchronisation for directory [ 32770 ] was not completed, falling back to a full synchronisation
2014-12-11 15:14:42,310 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteDirectory INCREMENTAL synchronisation for directory [ 32770 ] was not successful, attempting FULL
2014-12-11 15:14:42,349 INFO [clusterScheduler_Worker-5] c.a.c.d.l.c.RemoteDirectoryCacheRefresher found [ 114 ] remote users in [ 38 ms ]
2014-12-11 15:14:42,541 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteChangeOperations scanned and compared [ 114 ] users for delete in DB cache in [ 191ms ]
2014-12-11 15:14:42,541 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteChangeOperations scanned for deleted users in [ 191ms ]
2014-12-11 15:14:42,663 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteChangeOperations scanning [ 114 ] users to add or update
2014-12-11 15:14:42,672 INFO [clusterScheduler_Worker-5] c.a.c.d.DirectoryCacheImplUsingChangeOperations scanned and compared [ 114 ] users for update in DB cache in [ 119ms ]
2014-12-11 15:14:42,675 INFO [clusterScheduler_Worker-5] c.a.c.d.DirectoryCacheImplUsingChangeOperations synchronised [ 114 ] users in [ 122ms ]
2014-12-11 15:14:42,684 INFO [clusterScheduler_Worker-5] c.a.c.d.l.c.RemoteDirectoryCacheRefresher found [ 23 ] remote groups in [ 9 ms ]
2014-12-11 15:14:42,684 INFO [clusterScheduler_Worker-5] c.a.c.d.DirectoryCacheImplUsingChangeOperations scanning [ 23 ] groups to add or update
2014-12-11 15:14:42,693 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteChangeOperations scanned and compared [ 23 ] groups for update in DB cache in [ 8ms ]
2014-12-11 15:14:42,701 INFO [clusterScheduler_Worker-5] c.a.c.d.DirectoryCacheImplUsingChangeOperations synchronized [ 23 ] groups in [ 17ms ]
2014-12-11 15:14:42,714 INFO [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteChangeOperations scanned and compared [ 23 ] groups for delete in DB cache in [ 13ms ]
2014-12-11 15:14:42,890 WARN [clusterScheduler_Worker-5] c.a.c.d.DbCachingRemoteChangeOperations Could not add the following missing users to group [ admins ]: [uid=admin,cn=users,cn=accounts,dc=bitbucket,dc=local]
Cause
LDAP support falls into two flavours of directory schema. There's the RFC-2307 style, and the RFC-4519 style. The FedoraDS connector uses RFC-2307.
FreeIPA implements a RFC-4519 schema similar to OpenLDAP or Active Directory.
The basic issue is that the Directory Server is one that the FedoraDS driver cannot understand.
Resolution
The "fix" is to remove the connector, and re-create it with the type "Generic Directory Server" instead of "FedoraDS".
Bear in mind that we do not officially support for FreeIPA, so there's no "FreeIPA" choice in the drop-down: CWD-4134 - Support FreeIPA Roles/Permissions/Privileges
List of supported LDAP servers:
This is why you must choose "Generic Directory Server" instead.
Was this helpful?