Lexical error during directory synchronization
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Symptoms
During the synchronization with an LDAP directory, the following appears in the atlassian-confluence.log:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
2011-12-15 11:54:52,422 ERROR [QuartzScheduler_Worker-8] [directory.ldap.mapper.GroupContextMapper] mapFromContext Failed to map attribute <memberDNs> from context with DN <cn=Confluence,ou=groups,dc=example,dc=com>
org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "_" (95), after : ""
Caused by: org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5. Encountered: "_" (95), after : ""
at org.springframework.ldap.core.DnParserImplTokenManager.getNextToken(DnParserImplTokenManager.java:690)
at org.springframework.ldap.core.DnParserImpl.jj_consume_token(DnParserImpl.java:219)
at org.springframework.ldap.core.DnParserImpl.SpacedEquals(DnParserImpl.java:114)
at org.springframework.ldap.core.DnParserImpl.attributeTypeAndValue(DnParserImpl.java:94)
at org.springframework.ldap.core.DnParserImpl.rdn(DnParserImpl.java:58)
at org.springframework.ldap.core.DnParserImpl.dn(DnParserImpl.java:23)
at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:184)
at org.springframework.ldap.core.DistinguishedName.<init>(DistinguishedName.java:140)
at com.atlassian.crowd.directory.ldap.util.DNStandardiser.standardise(DNStandardiser.java:72)
at com.atlassian.crowd.directory.ldap.mapper.attribute.group.RFC4519MemberDnMapper.getValues(RFC4519MemberDnMapper.java:43)
at com.atlassian.crowd.directory.ldap.mapper.GroupContextMapper.mapFromContext(GroupContextMapper.java:60)
at org.springframework.ldap.core.ContextMapperCallbackHandler.getObjectFromNameClassPair(ContextMapperCallbackHandler.java:67)
at org.springframework.ldap.core.CollectingNameClassPairCallbackHandler.handleNameClassPair(CollectingNameClassPairCallbackHandler.java:50)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:297)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:237)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:624)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:535)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntitiesWithRequestControls(SpringLDAPConnector.java:379)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntities(SpringLDAPConnector.java:351)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroupObjectsOfSpecifiedGroupType(SpringLDAPConnector.java:1045)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroupObjects(SpringLDAPConnector.java:1093)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroups(SpringLDAPConnector.java:1102)
at com.atlassian.crowd.directory.ldap.cache.RemoteDirectoryCacheRefresher.findAllRemoteGroups(RemoteDirectoryCacheRefresher.java:50)
at com.atlassian.crowd.directory.ldap.cache.RemoteDirectoryCacheRefresher.synchroniseAllGroups(RemoteDirectoryCacheRefresher.java:74)
at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:42)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:619)
at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:63)
at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:50)
at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJobBean.executeInternal(DirectoryPollerJobBean.java:29)
at org.springframework.scheduling.quartz.QuartzJobBean.execute(QuartzJobBean.java:86)
at org.quartz.core.JobRunShell.run(JobRunShell.java:199)
at com.atlassian.confluence.schedule.quartz.ConfluenceQuartzThreadPool$1.run(ConfluenceQuartzThreadPool.java:14)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:549)Cause
The LDAP group mentioned in the stack trace has some invalid entries. See in this example:
1
2
3
4
5
6
7
dn: cn=Confluence,ou=groups,dc=example,dc=com
owner: confluence-wiki
objectClass: groupOfUniqueNames
objectClass: top
cn: Confluence
uniqueMember: test_user1
uniqueMember: test_user2
In this case, the uniqueMember attributes doesn't have a valid DN, it should inform something like uid=test_user1,ou=users,dc=example,dc=com.
Resolution
There are two possible solutions to this issue:
Write a more restrictive group search filter to exclude the problematic group from the synchronization result. See this documentation for more details.
Fix the invalid entries directly on your LDAP and trigger the synchronization again.
ℹ️ See this documentation for more details about special characters in Crowd.
Was this helpful?