LDAP synchronization fails due to invalid search filter containing negation element (!)

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Symptoms

The LDAP synchronization fails with the following message in the atlassian-jira.log:

1 2 3 4 2013-07-17 12:59:17,204 QuartzScheduler_Worker-2 ERROR ServiceRunner [atlassian.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ 10000 ]. com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.InvalidSearchFilterException: Filter (!) cannot be followed by more than one filters; nested exception is javax.naming.directory.InvalidSearchFilterException: Filter (!) cannot be followed by more than one filters; remaining name 'dc=example,dc=com' at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAllGroups(UsnChangedCacheRefresher.java:200) ...

Cause

Due to restrictions of the LDAP protocol, filters containing 'not' or 'negation'('!') must have one and only one filter element. Example of an invalid filter:

1 (&(objectCategory=Group)(!(CN=confluence*)(!(CN=jira*))))

ℹ️ See more details about LDAP filters in this documentation.

Resolution

To solve this issue you can either:

  • Remove one of the negation operators. Example:

    1 (&(objectCategory=Group)(!(CN=confluence*)))

  • Or wrap all elements within the OR operator (pipe symbol '|'). Example:

    1 (&(objectCategory=Group)(!(|(CN=confluence*)(CN=jira*))))
Updated on April 8, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSymptomsCauseResolution

Still need help?

The Atlassian Community is here for you.
Ask the Community