Crowd - Removing group from user with '#' in username results in error

Jan Wittorf May 18, 2014

We have customer requirement for username format shall be like: 123/45678#001 Important part of this format is '#001'.

If we add groups to these users, no problems at all. If we remove one or more groups from these users we get the following error on web frontend: Cannot remove user "123/45678#001" from group(s) "Benutzerverwaltung".

See attached log file for further details. (atlassian-crowd.log)

Same error occurs when we are using REST-API for batch processing:

/crowd/rest/usermanagement/latest/group/user/direct?groupname=Benutzerverwaltung&username=123/45678#001

Before any questions come accros the '/' and '#' in URL: Yes, we do a HTML encode before ('/'=%2F and '#'=%23).

Interesting behavior is: The group is removed from the user account but the result is an error.

We are using OpenLDAP connector to store users and groups.

9 answers

1 accepted

2 votes
Jan Wittorf May 20, 2014

Has anybody else an idea?

Otherwise have to push a ticket...

codelab expert
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 20, 2014

Dear Jan,

you should not create a new answer if you want to comment your own question.

2 votes
codelab expert
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 18, 2014

I suggest that this symbol is not allowed. # is a fragment identifier of a URL. So the URL is misinterpreted by JIRA.

Jan Wittorf May 18, 2014

Dear Mathias,

thx for your response. We don't use JIRA. We use Crowd with custom applications.

Also in my opinion if the # is URL encoded there should not be any problems.

0 votes
joe
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 4, 2014

Thanks for reporting this. This was filed as CWD-3923 and fixed with an upgrade to Spring LDAP to pick up LDAP-229. It will be in the next stable release of Crowd.

0 votes
Jan Wittorf May 20, 2014

Good point! I tested with deactivated caching function. Result: Error occurred but group has not been removed from user.

Then I tested again with activated caching function.

  1. Removed Group from user
  2. Error occurred and group was removed
  3. Looked direcly into LDAP. Group was still attached to the user!
  4. Clicked on synchronisation
  5. On crowd web console: Group was added to user by synchronisation

So the problem seems to be with the LDAP connector.

I'll report a bug for this!

0 votes
joe
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 20, 2014

Yes, it sounds like a bug; please report it with enough detail to reproduce. When a membership can't be found in a remote directory it is automatically deleted from the local, so this may be simpler to isolate and reproduce with an uncached connector.

0 votes
Jan Wittorf May 20, 2014

Hi Joseph,

Yes, I can. The group has been added without any errors, also no errors in log file.

To be safe, I logged out/in on the web console, searched the user again and the group is still present.

To be totally safe, I have to look at the underlying directory (OpenLDAP). Will prompt do this with some help from our LDAP experts and update you.

0 votes
Jan Wittorf May 20, 2014

Quick look into the LDAP directory with the Apache Directory Studio shows that everything is perfectly well as we ecpected it.

Furthermore other special characters like '@' have no problems. Log file also says that something has to be wrong in your implementation.

0 votes
joe
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 20, 2014

"The group is removed from the user account but the result is an error." Could you confirm that the group was added in the first place? During removal, the check for an existing membership is carried out before any attempt to delete.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events