Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Confluence 6.9 - Secure LDAP - Users removed from cache

Systems Peel Hunt
Systems Peel Hunt January 30, 2020

Hi,

I am running Concluence 6.9. I have just converted my LDAP to Active Directory User Directory to use SSL. The connection tests successfully and a full synchronisation is again successful.

However, when the next synchronisation occurs, all of the users are removed from the cache and no Active Directory users are able to log in. If I perform another synchronisation then it is successful again and all the users are added back into the cache. This pattern repeats itself over and over again. 

Reverting back to LDAP not using SSL works fine and users remain in the cache on subsequent synchronisations. 

 

Has anyone seen this issue before?

 

Thanks,

 

Ben

Answer
Watch
Like Be the first to like this
409 views

1 answer

1 accepted

0 votes
Answer accepted
Brant Schroeder
Brant Schroeder
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 30, 2020

Are the two LDAP directory connections configured the same? You should check and make sure everything is configured the same.  

Where I have seen this happen is with incremental sync.  If you AD Global Catalog is missing the "accountExpires" attribute the LDAP queries being performed in the incremental sync will remove users because this attribute was not found in those synchronizations. Disabling the incremental sync from the advanced section of the directory settings will work as a work around until your active directory "accountExpires" attribute is added to the Global Catalog. This should be done by someone that understands the structure and size of your domain as adding an attribute triggers a full sync between all the nodes in your domain forest.

Here is another link that might have some insight into your issue. https://confluence.atlassian.com/kb/incremental-ldap-synchronisation-causing-user-deletion-826895869.html

View More Comments
Systems Peel Hunt
Systems Peel Hunt January 30, 2020

Hi Brant,

thanks for your reply.

I've only got the one LDAP directory connection. I've modified it from non SSL to SSL and this is where the issue occurs.

All of our DC's are Global Catalog server and I had configured the port to use 3269 which is the Global Catalog LDAP port.

Cause 3 in the link you have posted seems to fit with the scenario that I have got. It works over port 389, non SSL and non Global Catalog and doesnt work over 3269 which is SSL and Global Catalog. It sounds like it might work over port 636, but I might just disable incremental sync and see how that goes.

Thanks,

Ben

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events