User Directory (Active Directory) Synchronisation is failing with 'Unable to find the groupname of the principal'
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
User Directory(Active Directory 2008 R2) synchronization fails with error 'Unable to find the groupname of the principal'
Environment
8.20.3
Diagnosis
Below events can be seen in atlassian-jira.log
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
2022-01-01 00:00:33,768+0000 Caesium-1-4 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] FULL synchronisation for directory [ 10100 ] starting
2022-01-01 00:00:34,944+0000 CrowdUsnChangedCacheRefresher:thread-1 INFO ServiceRunner [c.a.c.d.synchronisation.cache.UsnChangedCacheRefresher] found [ 769 ] remote users in [ 1174ms ]
2022-01-01 00:00:34,966+0000 Caesium-1-4 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteChangeOperations] scanned and compared [ 769 ] users for delete in DB cache in [ 20ms ]
2022-01-01 00:00:34,966+0000 Caesium-1-4 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteChangeOperations] scanned for deleted users in [ 20ms ]
2022-01-01 00:00:34,980+0000 Caesium-1-4 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteChangeOperations] scanning [ 769 ] users to add or update
2022-01-01 00:00:34,983+0000 Caesium-1-4 INFO ServiceRunner [c.a.crowd.directory.DirectoryCacheImplUsingChangeOperations] scanned and compared [ 769 ] users for update in DB cache in [ 17ms ]
2022-01-01 00:00:34,983+0000 Caesium-1-4 INFO ServiceRunner [c.a.crowd.directory.DirectoryCacheImplUsingChangeOperations] synchronised [ 769 ] users in [ 17ms ]
2022-01-01 00:00:36,493+0000 CrowdUsnChangedCacheRefresher:thread-2 INFO ServiceRunner [c.a.c.d.ldap.monitoring.TimedSupplier] Timed call for search with handler on baseDN: DC=domain,DC=local, filter: (objectCategory=Group) took 1596ms
2022-01-01 00:00:39,284+0000 CrowdUsnChangedCacheRefresher:thread-2 INFO ServiceRunner [c.a.c.d.ldap.monitoring.TimedSupplier] Timed call for search with handler on baseDN: DC=domain,DC=local, filter: (objectCategory=Group) took 2791ms
2022-01-01 00:00:40,543+0000 CrowdUsnChangedCacheRefresher:thread-2 INFO ServiceRunner [c.a.c.d.ldap.monitoring.TimedSupplier] Timed call for search with handler on baseDN: DC=domain,DC=local, filter: (objectCategory=Group) took 1258ms
2022-01-01 00:00:42,414+0000 CrowdUsnChangedCacheRefresher:thread-2 INFO ServiceRunner [c.a.c.d.ldap.monitoring.TimedSupplier] Timed call for search with handler on baseDN: DC=domain,DC=local, filter: (objectCategory=Group) took 1870ms
2022-01-01 00:00:43,013+0000 CrowdUsnChangedCacheRefresher:thread-2 INFO ServiceRunner [c.a.c.d.ldap.util.DirectoryAttributeRetriever] Unsafe attribute value <Test\u001FGroup> for attribute <cn>. Context: <CN=TestGroup,OU=DistributionGroup,OU=Groups,DC=domain,DC=local>. . Attribute was skipped.
2022-01-01 00:00:43,013+0000 CrowdUsnChangedCacheRefresher:thread-2 ERROR ServiceRunner [c.a.c.d.l.mapper.entity.LDAPGroupAttributesMapper] The following record does not have a groupname: NameAwareAttribute; attributes: {objectguid=NameAwareAttribute; id: objectGUID; hasValuesAsNames: false; orderMatters: false; values: [[B@2775cc12], cn=NameAwareAttribute; id: cn; hasValuesAsNames: false; orderMatters: false; values: [TestGroup]}
2022-01-01 00:00:43,017+0000 Caesium-1-4 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] failed synchronisation complete for directory [ 10100 ] in [ 9249ms ]
2022-01-01 00:00:43,031+0000 Caesium-1-4 INFO ServiceRunner [c.a.c.e.c.a.j.c.e.ofbiz.OfBizDirectoryDao.directoryCache] Cache com.atlassian.jira.crowd.embedded.ofbiz.OfBizDirectoryDao.directoryCache was flushed
2022-01-01 00:00:43,038+0000 Caesium-1-4 INFO ServiceRunner [c.a.c.e.c.a.j.r.v.i.u.CachingDuplicatedUsersHelper.list.cache] Cache com.atlassian.jira.rest.v2.issue.users.CachingDuplicatedUsersHelper.list.cache was flushed
2022-01-01 00:00:43,039+0000 Caesium-1-4 INFO ServiceRunner [c.a.c.e.c.a.j.application.DefaultApplicationRoleManager.billableUsersCount] Cache com.atlassian.jira.application.DefaultApplicationRoleManager.billableUsersCount was flushed
2022-01-01 00:00:43,041+0000 Caesium-1-4 ERROR ServiceRunner [c.a.crowd.directory.DbCachingDirectoryPoller] Error occurred while refreshing the cache for directory [ 10100 ].
com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.UncategorizedLdapException: Unable to find the groupname of the principal.
at com.atlassian.crowd.directory.synchronisation.cache.UsnChangedCacheRefresher.synchroniseAllGroups(UsnChangedCacheRefresher.java:231)
at com.atlassian.crowd.directory.synchronisation.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:50)
at com.atlassian.crowd.directory.synchronisation.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:172)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:1095)
at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.lambda$synchronise$0(DirectorySynchroniserImpl.java:82)
at com.atlassian.crowd.audit.NoOpAuditLogContext.withAuditLogSource(NoOpAuditLogContext.java:17)
at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:80)
at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:48)
at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJobRunner.runJob(DirectoryPollerJobRunner.java:92)
at com.atlassian.scheduler.core.JobLauncher.runJob(JobLauncher.java:134)
at com.atlassian.scheduler.core.JobLauncher.launchAndBuildResponse(JobLauncher.java:106)
at com.atlassian.scheduler.core.JobLauncher.launch(JobLauncher.java:90)
at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.launchJob(CaesiumSchedulerService.java:435)
at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeClusteredJob(CaesiumSchedulerService.java:430)
at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeClusteredJobWithRecoveryGuard(CaesiumSchedulerService.java:454)
at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeQueuedJob(CaesiumSchedulerService.java:382)
at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.executeJob(SchedulerQueueWorker.java:66)
at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.executeNextJob(SchedulerQueueWorker.java:60)
at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.run(SchedulerQueueWorker.java:35)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.UncategorizedLdapException: Unable to find the groupname of the principal.
at java.base/java.util.concurrent.FutureTask.report(Unknown Source)
at java.base/java.util.concurrent.FutureTask.get(Unknown Source)
at com.atlassian.crowd.directory.synchronisation.cache.UsnChangedCacheRefresher.synchroniseAllGroups(UsnChangedCacheRefresher.java:216)
... 19 more
Caused by: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.UncategorizedLdapException: Unable to find the groupname of the principal.
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntitiesWithRequestControls(SpringLDAPConnector.java:453)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntities(SpringLDAPConnector.java:437)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroupObjectsOfSpecifiedGroupType(SpringLDAPConnector.java:1106)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroupObjects(SpringLDAPConnector.java:1135)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroups(SpringLDAPConnector.java:1160)
at com.atlassian.crowd.directory.synchronisation.cache.UsnChangedCacheRefresher.lambda$synchroniseAll$1(UsnChangedCacheRefresher.java:164)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
... 1 more
Caused by: org.springframework.ldap.UncategorizedLdapException: Unable to find the groupname of the principal.
at com.atlassian.crowd.directory.ldap.mapper.entity.LDAPGroupAttributesMapper.getGroupNameFromAttributes(LDAPGroupAttributesMapper.java:141)
at com.atlassian.crowd.directory.ldap.mapper.entity.LDAPGroupAttributesMapper.mapGroupFromAttributes(LDAPGroupAttributesMapper.java:101)
at com.atlassian.crowd.directory.ldap.mapper.GroupContextMapper.mapFromContext(GroupContextMapper.java:60)
at com.atlassian.crowd.directory.ldap.mapper.GroupContextMapper.mapFromContext(GroupContextMapper.java:27)
at com.atlassian.crowd.directory.ldap.mapper.ContextMapperWithCustomAttributes.mapFromContext(ContextMapperWithCustomAttributes.java:28)
at org.springframework.ldap.core.CollectingNameClassPairCallbackHandler.handleNameClassPair(CollectingNameClassPairCallbackHandler.java:50)
at com.atlassian.crowd.directory.ldap.monitoring.ExecutionInfoNameClassPairCallbackHandler.handleNameClassPair(ExecutionInfoNameClassPairCallbackHandler.java:32)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:367)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$3.timedGet(SpringLdapTemplateWrapper.java:143)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$3.timedGet(SpringLdapTemplateWrapper.java:139)
at com.atlassian.crowd.directory.ldap.monitoring.TimedSupplier.get(TimedSupplier.java:37)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.invokeWithContextClassLoader(SpringLdapTemplateWrapper.java:85)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.search(SpringLdapTemplateWrapper.java:139)
at com.atlassian.crowd.directory.SpringLDAPConnector.pageSearchResults(SpringLDAPConnector.java:394)
... 10 moreCause
During the sync, Jira reports an error, indicating that an Unsafe attribute value was identified and the attribute was skipped (note the non-printable character \u001F in the group's cn attribute):
1
2
2022-01-01 00:00:43,013+0000 CrowdUsnChangedCacheRefresher:thread-2 INFO ServiceRunner [c.a.c.d.ldap.util.DirectoryAttributeRetriever] Unsafe attribute value <Test\u001FGroup> for attribute <cn>. Context: <CN=TestGroup,OU=DistributionGroup,OU=Groups,DC=domain,DC=local>. . Attribute was skipped.
2022-01-01 00:00:43,013+0000 CrowdUsnChangedCacheRefresher:thread-2 ERROR ServiceRunner [c.a.c.d.l.mapper.entity.LDAPGroupAttributesMapper] The following record does not have a groupname: NameAwareAttribute; attributes: {objectguid=NameAwareAttribute; id: objectGUID; hasValuesAsNames: false; orderMatters: false; values: [[B@2775cc12], cn=NameAwareAttribute; id: cn; hasValuesAsNames: false; orderMatters: false; values: [TestGroup]}Workaround
Create a new search filter to exclude the problematic group
Solution
Work with your LDAP/AD admin to correct the unsafe attribute value. In the example above, the invalid character \u001F in the group name was causing the issue.
Updated on April 14, 2025
Was this helpful?
Still need help?
The Atlassian Community is here for you.