Crowd fails to authenticate ActiveDirectory users

Oded Arbel December 25, 2011

I've installed a trial version of Crowd to test if we can use Crowd to authenticate against our ActiveDirectory server, which is running on Windows 2008.

The setup was pretty straightforward and there were no issues detected, but using the supplied OpenID server application, I can't get an AD user to authenticate. Here's the DEBUG logs of crowd for such an attempt:

---------------8<-----------------------------------------

2011-12-26 17:51:00,095 http-8095-9 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Using SessionFactory 'sessionFactory' for OpenSessionInViewFilter
2011-12-26 17:51:00,096 http-8095-9 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Opening single Hibernate Session in OpenSessionInViewFilter
2011-12-26 17:51:00,097 http-8095-9 DEBUG [service.soap.xfire.XFireInLoggingMethodHandler] SOAP service method: authenticatePrincipal
com.atlassian.crowd.integration.authentication.AuthenticatedToken@420e26c0[name=crowd-openid-server,token=XgmP318kg0J1kfzX1XmZgg00]
com.atlassian.crowd.integration.authentication.UserAuthenticationContext@2f122921[name=oded.a,credential=com.atlassian.crowd.integration.authentication.PasswordCredential@514a4dab[credential=MYSECRETPASSWD,encryptedCredential=false],validationFactors={com.atlassian.crowd.integration.authentication.ValidationFactor@65313f3e[name=remote_address,value=192.168.1.222]},application=crowd-openid-server]
2011-12-26 17:51:00,098 http-8095-9 DEBUG [crowd.service.soap.SOAPService] validating license key
2011-12-26 17:51:00,098 http-8095-9 DEBUG [crowd.service.soap.SOAPService] validating application token: XgmP318kg0J1kfzX1XmZgg00
2011-12-26 17:51:00,098 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] genericValidateToken
2011-12-26 17:51:00,101 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] checking if the token is expired:
2011-12-26 17:51:00,101 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] now: 1324914660100
2011-12-26 17:51:00,101 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] last accessed: 2011-12-26 17:41:48.0
2011-12-26 17:51:00,101 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] difference: 552100
2011-12-26 17:51:00,101 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] allowed elapse: 1800000
2011-12-26 17:51:00,101 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Generating Token for principal: crowd-openid-server
2011-12-26 17:51:00,101 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding remote address of 127.0.0.1
2011-12-26 17:51:00,101 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding remote_host of com.atlassian.crowd.model.authentication.ValidationFactor@76c42399[name=remote_host,value=127.0.0.1]
2011-12-26 17:51:00,102 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding NAME of com.atlassian.crowd.model.authentication.ValidationFactor@46fd4eb9[name=NAME,value=crowd-openid-server]
2011-12-26 17:51:00,102 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Generating Token for principal: crowd-openid-server
2011-12-26 17:51:00,102 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding remote address of 127.0.0.1
2011-12-26 17:51:00,102 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding remote_host of com.atlassian.crowd.model.authentication.ValidationFactor@76c42399[name=remote_host,value=127.0.0.1]
2011-12-26 17:51:00,103 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding NAME of com.atlassian.crowd.model.authentication.ValidationFactor@46fd4eb9[name=NAME,value=crowd-openid-server]
2011-12-26 17:51:00,103 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding Random-Number of com.atlassian.crowd.model.authentication.ValidationFactor@203b7818[name=Random-Number,value=2605247152551997811]
2011-12-26 17:51:00,103 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] Current Validation Factors:
com.atlassian.crowd.model.authentication.ValidationFactor@20498030[name=remote_address,value=127.0.0.1]com.atlassian.crowd.model.authentication.ValidationFactor@76c42399[name=remote_host,value=127.0.0.1]com.atlassian.crowd.model.authentication.ValidationFactor@46fd4eb9[name=NAME,value=crowd-openid-server]
2011-12-26 17:51:00,103 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] comparing existing token com.atlassian.crowd.model.token.Token@4177298e with a validation token com.atlassian.crowd.model.token.Token@4177298e
2011-12-26 17:51:00,103 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] returning validated token, with updated last accessed time
2011-12-26 17:51:00,103 http-8095-9 DEBUG [crowd.dao.token.TokenDAOHibernate] Updating object: com.atlassian.crowd.model.token.Token@4177298e
2011-12-26 17:51:00,103 http-8095-9 DEBUG [crowd.service.soap.SOAPService] loading application: crowd-openid-server
2011-12-26 17:51:00,105 http-8095-9 DEBUG [crowd.manager.validation.ClientValidationManagerImpl] Client address: 127.0.0.1
2011-12-26 17:51:00,109 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] Authenticating user: oded.a
2011-12-26 17:51:00,113 http-8095-9 DEBUG [crowd.dao.directory.DirectoryDAOHibernate] Loaded object: com.atlassian.crowd.model.directory.DirectoryImpl$$EnhancerByCGLIB$$8ef82e02@46f003c0[lowerName=taboola crowd,description=Taboola,type=INTERNAL,implementationClass=com.atlassian.crowd.directory.InternalDirectory,allowedOperations=[UPDATE_GROUP, DELETE_GROUP, DELETE_USER, UPDATE_USER, CREATE_USER, CREATE_GROUP, UPDATE_USER_ATTRIBUTE, UPDATE_GROUP_ATTRIBUTE],attributes={password_max_change_time=90, password_regex=, user_encryption_method=atlassian-security, password_history_count=5, password_max_attempts=10}]
2011-12-26 17:51:00,147 http-8095-9 DEBUG [service.soap.xfire.XFireFaultLoggingMethodHandler] SOAP service fault for method: authenticatePrincipal
com.atlassian.crowd.integration.exception.InvalidAuthenticationException: oded.a
2011-12-26 17:51:00,151 http-8095-9 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Closing single Hibernate Session in OpenSessionInViewFilter
2011-12-26 17:51:00,155 http-8095-9 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Using SessionFactory 'sessionFactory' for OpenSessionInViewFilter
2011-12-26 17:51:00,155 http-8095-9 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Opening single Hibernate Session in OpenSessionInViewFilter
2011-12-26 17:51:00,156 http-8095-9 DEBUG [service.soap.xfire.XFireInLoggingMethodHandler] SOAP service method: getCookieInfo
com.atlassian.crowd.integration.authentication.AuthenticatedToken@5d9e740d[name=crowd-openid-server,token=XgmP318kg0J1kfzX1XmZgg00]
2011-12-26 17:51:00,157 http-8095-9 DEBUG [crowd.service.soap.SOAPService] validating license key
2011-12-26 17:51:00,157 http-8095-9 DEBUG [crowd.service.soap.SOAPService] validating application token: XgmP318kg0J1kfzX1XmZgg00
2011-12-26 17:51:00,157 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] genericValidateToken
2011-12-26 17:51:00,159 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] checking if the token is expired:
2011-12-26 17:51:00,159 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] now: 1324914660159
2011-12-26 17:51:00,159 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] last accessed: 2011-12-26 17:51:00.0
2011-12-26 17:51:00,159 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] difference: 159
2011-12-26 17:51:00,159 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] allowed elapse: 1800000
2011-12-26 17:51:00,159 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Generating Token for principal: crowd-openid-server
2011-12-26 17:51:00,160 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding remote address of 127.0.0.1
2011-12-26 17:51:00,160 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding remote_host of com.atlassian.crowd.model.authentication.ValidationFactor@4501cefc[name=remote_host,value=127.0.0.1]
2011-12-26 17:51:00,160 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding NAME of com.atlassian.crowd.model.authentication.ValidationFactor@79bc25c8[name=NAME,value=crowd-openid-server]
2011-12-26 17:51:00,160 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Generating Token for principal: crowd-openid-server
2011-12-26 17:51:00,160 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding remote address of 127.0.0.1
2011-12-26 17:51:00,160 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding remote_host of com.atlassian.crowd.model.authentication.ValidationFactor@4501cefc[name=remote_host,value=127.0.0.1]
2011-12-26 17:51:00,160 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding NAME of com.atlassian.crowd.model.authentication.ValidationFactor@79bc25c8[name=NAME,value=crowd-openid-server]
2011-12-26 17:51:00,160 http-8095-9 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding Random-Number of com.atlassian.crowd.model.authentication.ValidationFactor@2f54abe8[name=Random-Number,value=2605247152551997811]
2011-12-26 17:51:00,161 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] Current Validation Factors:
com.atlassian.crowd.model.authentication.ValidationFactor@5fe2249e[name=remote_address,value=127.0.0.1]com.atlassian.crowd.model.authentication.ValidationFactor@4501cefc[name=remote_host,value=127.0.0.1]com.atlassian.crowd.model.authentication.ValidationFactor@79bc25c8[name=NAME,value=crowd-openid-server]
2011-12-26 17:51:00,161 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] comparing existing token com.atlassian.crowd.model.token.Token@4177298e with a validation token com.atlassian.crowd.model.token.Token@4177298e
2011-12-26 17:51:00,161 http-8095-9 DEBUG [crowd.manager.authentication.TokenAuthenticationManagerImpl] returning validated token, with updated last accessed time
2011-12-26 17:51:00,161 http-8095-9 DEBUG [crowd.dao.token.TokenDAOHibernate] Updating object: com.atlassian.crowd.model.token.Token@4177298e
2011-12-26 17:51:00,161 http-8095-9 DEBUG [crowd.service.soap.SOAPService] loading application: crowd-openid-server
2011-12-26 17:51:00,163 http-8095-9 DEBUG [crowd.manager.validation.ClientValidationManagerImpl] Client address: 127.0.0.1
2011-12-26 17:51:00,195 http-8095-9 DEBUG [service.soap.xfire.XFireOutLoggingMethodHandler] SOAP service method: getCookieInfo
com.atlassian.crowd.integration.soap.SOAPCookieInfo@7d349786[domain=,secure=false]
2011-12-26 17:51:00,197 http-8095-9 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Closing single Hibernate Session in OpenSessionInViewFilter

---------------8<-----------------------------------------

I don't understand why authentication fails, and as you can see all I get is debug messages so there are no errors provided elsewhere.

I've connected JIRA to the Crowd installation and it looks to work - users can log in to the JIRA and authentication works fine, though accessing the crowd console directly or the openidserver signin always fails for AD users.

Here are the Crowd logs for the JIRA authentication request:

---------------8<-----------------------------------------

2011-12-26 19:19:22,819 http-8095-1 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Using SessionFactory 'sessionFactory' for OpenSessionInViewFilter
2011-12-26 19:19:22,820 http-8095-1 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Opening single Hibernate Session in OpenSessionInViewFilter
2011-12-26 19:19:22,823 http-8095-1 DEBUG [crowd.manager.validation.ClientValidationManagerImpl] Client address: 127.0.0.1
2011-12-26 19:19:22,826 http-8095-1 DEBUG [plugin.rest.filter.BasicApplicationAuthenticationFilter] Application 'Jira' is already authenticated
2011-12-26 19:19:22,836 http-8095-1 DEBUG [crowd.dao.directory.DirectoryDAOHibernate] Loaded object: com.atlassian.crowd.model.directory.DirectoryImpl$$EnhancerByCGLIB$$8ef82e02@431d0879[lowerName=il dc,description=Israeli office ActiveDirectory,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.MicrosoftActiveDirectory,allowedOperations=[UPDATE_GROUP, DELETE_GROUP, DELETE_USER, UPDATE_USER, CREATE_USER, CREATE_GROUP, UPDATE_USER_ATTRIBUTE, UPDATE_GROUP_ATTRIBUTE],attributes={ldap.read.timeout=120000, directory.cache.synchronise.interval=3600, ldap.role.name=cn, ldap.user.displayname=displayName, ldap.search.timelimit=60000, ldap.usermembership.use=true, ldap.role.description=description, ldap.group.objectclass=group, ldap.user.objectclass=user, ldap.pagedresults=true, ldap.group.description=description, ldap.user.firstname=givenName, com.atlassian.crowd.directory.sync.cache.enabled=true, crowd.sync.incremental.enabled=true, ldap.group.usernames=member, ldap.user.group=memberOf, ldap.role.dn=, ldap.user.filter=(&(objectCategory=Person)(sAMAccountName=*)), ldap.relaxed.dn.standardisation=true, ldap.password=********, ldap.secure=false, ldap.user.username.rdn=cn, ldap.role.usernames=member, com.atlassian.crowd.directory.sync.lastdurationms=641, ldap.group.filter=(objectCategory=Group), com.atlassian.crowd.directory.sync.laststartsynctime=1324916468479, ldap.nestedgroups.disabled=true, ldap.user.username=sAMAccountName, ldap.group.dn=ou=Security Groups,ou=MyBusiness, ldap.user.email=mail, ldap.basedn=dc=office,dc=taboola,dc=com, ldap.role.filter=(objectclass=group), ldap.roles.disabled=true, ldap.connection.timeout=10000, ldap.url=ldap://ildc01:389/, ldap.usermembership.use.for.groups=true, ldap.referral=true, ldap.user.lastname=sn, ldap.userdn=CN=LDAPUSER,CN=Users,DC=office,DC=taboola,DC=com, ldap.pagedresults.size=999, ldap.group.name=cn, ldap.user.dn=ou=SBSUsers,ou=Users,ou=MyBusiness, com.atlassian.crowd.directory.sync.issynchronising=false, ldap.role.objectclass=group, ldap.user.password=unicodePwd}]
2011-12-26 19:19:22,837 http-8095-1 DEBUG [atlassian.crowd.directory.SpringLDAPConnector] Performing user search: baseDN = ou=SBSUsers,ou=Users,ou=MyBusiness,dc=office,dc=taboola,dc=com - filter = (&(&(objectCategory=Person)(sAMAccountName=*))(sAMAccountName=oded.a))
2011-12-26 19:19:22,843 http-8095-1 DEBUG [atlassian.crowd.directory.SpringLDAPConnector] Paged results are enabled with a paging size of: 999
2011-12-26 19:19:22,849 http-8095-1 DEBUG [atlassian.crowd.directory.SpringLDAPConnector] Iterating a search result size of: 999
2011-12-26 19:19:22,860 http-8095-1 DEBUG [crowd.dao.user.UserDAOHibernate] Saving or updating object: com.atlassian.crowd.model.user.InternalUserAttribute@20fa6824[directory=com.atlassian.crowd.model.directory.DirectoryImpl$$EnhancerByCGLIB$$8ef82e02@431d0879[lowerName=il dc,description=Israeli office ActiveDirectory,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.MicrosoftActiveDirectory,allowedOperations=[UPDATE_GROUP, DELETE_GROUP, DELETE_USER, UPDATE_USER, CREATE_USER, CREATE_GROUP, UPDATE_USER_ATTRIBUTE, UPDATE_GROUP_ATTRIBUTE],attributes={ldap.read.timeout=120000, directory.cache.synchronise.interval=3600, ldap.role.name=cn, ldap.user.displayname=displayName, ldap.search.timelimit=60000, ldap.usermembership.use=true, ldap.role.description=description, ldap.group.objectclass=group, ldap.user.objectclass=user, ldap.pagedresults=true, ldap.group.description=description, ldap.user.firstname=givenName, com.atlassian.crowd.directory.sync.cache.enabled=true, crowd.sync.incremental.enabled=true, ldap.group.usernames=member, ldap.user.group=memberOf, ldap.role.dn=, ldap.user.filter=(&(objectCategory=Person)(sAMAccountName=*)), ldap.relaxed.dn.standardisation=true, ldap.password=********, ldap.secure=false, ldap.user.username.rdn=cn, ldap.role.usernames=member, com.atlassian.crowd.directory.sync.lastdurationms=641, ldap.group.filter=(objectCategory=Group), com.atlassian.crowd.directory.sync.laststartsynctime=1324916468479, ldap.nestedgroups.disabled=true, ldap.user.username=sAMAccountName, ldap.group.dn=ou=Security Groups,ou=MyBusiness, ldap.user.email=mail, ldap.basedn=dc=office,dc=taboola,dc=com, ldap.role.filter=(objectclass=group), ldap.roles.disabled=true, ldap.connection.timeout=10000, ldap.url=ldap://ildc01:389/, ldap.usermembership.use.for.groups=true, ldap.referral=true, ldap.user.lastname=sn, ldap.userdn=CN=LDAPUSER,CN=Users,DC=office,DC=taboola,DC=com, ldap.pagedresults.size=999, ldap.group.name=cn, ldap.user.dn=ou=SBSUsers,ou=Users,ou=MyBusiness, com.atlassian.crowd.directory.sync.issynchronising=false, ldap.role.objectclass=group, ldap.user.password=unicodePwd}],user=com.atlassian.crowd.model.user.InternalUser@f3ef9df[id=65593,name=oded.a,createdDate=2011-12-26 17:15:02.0,updatedDate=2011-12-26 17:21:33.0,active=true,emailAddress=oded@taboola.com,firstName=Oded,lastName=Arbel,displayName=Oded Arbel,credential=com.atlassian.crowd.embedded.api.PasswordCredential@17cb2466[credential=nopass,encryptedCredential=true],lowerName=oded.a,lowerEmailAddress=oded@taboola.com,lowerFirstName=oded,lowerLastName=arbel,lowerDisplayName=oded arbel,directoryId=32770]]
2011-12-26 19:19:22,895 http-8095-1 DEBUG [crowd.dao.directory.DirectoryDAOHibernate] Loaded object: com.atlassian.crowd.model.directory.DirectoryImpl$$EnhancerByCGLIB$$8ef82e02@431d0879[lowerName=il dc,description=Israeli office ActiveDirectory,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.MicrosoftActiveDirectory,allowedOperations=[UPDATE_GROUP, DELETE_GROUP, DELETE_USER, UPDATE_USER, CREATE_USER, CREATE_GROUP, UPDATE_USER_ATTRIBUTE, UPDATE_GROUP_ATTRIBUTE],attributes={ldap.read.timeout=120000, directory.cache.synchronise.interval=3600, ldap.role.name=cn, ldap.user.displayname=displayName, ldap.search.timelimit=60000, ldap.usermembership.use=true, ldap.role.description=description, ldap.group.objectclass=group, ldap.user.objectclass=user, ldap.pagedresults=true, ldap.group.description=description, ldap.user.firstname=givenName, com.atlassian.crowd.directory.sync.cache.enabled=true, crowd.sync.incremental.enabled=true, ldap.group.usernames=member, ldap.user.group=memberOf, ldap.role.dn=, ldap.user.filter=(&(objectCategory=Person)(sAMAccountName=*)), ldap.relaxed.dn.standardisation=true, ldap.password=********, ldap.secure=false, ldap.user.username.rdn=cn, ldap.role.usernames=member, com.atlassian.crowd.directory.sync.lastdurationms=641, ldap.group.filter=(objectCategory=Group), com.atlassian.crowd.directory.sync.laststartsynctime=1324916468479, ldap.nestedgroups.disabled=true, ldap.user.username=sAMAccountName, ldap.group.dn=ou=Security Groups,ou=MyBusiness, ldap.user.email=mail, ldap.basedn=dc=office,dc=taboola,dc=com, ldap.role.filter=(objectclass=group), ldap.roles.disabled=true, ldap.connection.timeout=10000, ldap.url=ldap://ildc01:389/, ldap.usermembership.use.for.groups=true, ldap.referral=true, ldap.user.lastname=sn, ldap.userdn=CN=LDAPUSER,CN=Users,DC=office,DC=taboola,DC=com, ldap.pagedresults.size=999, ldap.group.name=cn, ldap.user.dn=ou=SBSUsers,ou=Users,ou=MyBusiness, com.atlassian.crowd.directory.sync.issynchronising=false, ldap.role.objectclass=group, ldap.user.password=unicodePwd}]
2011-12-26 19:19:22,898 http-8095-1 DEBUG [crowd.dao.directory.DirectoryDAOHibernate] Loaded object: com.atlassian.crowd.model.directory.DirectoryImpl$$EnhancerByCGLIB$$8ef82e02@431d0879[lowerName=il dc,description=Israeli office ActiveDirectory,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.MicrosoftActiveDirectory,allowedOperations=[UPDATE_GROUP, DELETE_GROUP, DELETE_USER, UPDATE_USER, CREATE_USER, CREATE_GROUP, UPDATE_USER_ATTRIBUTE, UPDATE_GROUP_ATTRIBUTE],attributes={ldap.read.timeout=120000, directory.cache.synchronise.interval=3600, ldap.role.name=cn, ldap.user.displayname=displayName, ldap.search.timelimit=60000, ldap.usermembership.use=true, ldap.role.description=description, ldap.group.objectclass=group, ldap.user.objectclass=user, ldap.pagedresults=true, ldap.group.description=description, ldap.user.firstname=givenName, com.atlassian.crowd.directory.sync.cache.enabled=true, crowd.sync.incremental.enabled=true, ldap.group.usernames=member, ldap.user.group=memberOf, ldap.role.dn=, ldap.user.filter=(&(objectCategory=Person)(sAMAccountName=*)), ldap.relaxed.dn.standardisation=true, ldap.password=********, ldap.secure=false, ldap.user.username.rdn=cn, ldap.role.usernames=member, com.atlassian.crowd.directory.sync.lastdurationms=641, ldap.group.filter=(objectCategory=Group), com.atlassian.crowd.directory.sync.laststartsynctime=1324916468479, ldap.nestedgroups.disabled=true, ldap.user.username=sAMAccountName, ldap.group.dn=ou=Security Groups,ou=MyBusiness, ldap.user.email=mail, ldap.basedn=dc=office,dc=taboola,dc=com, ldap.role.filter=(objectclass=group), ldap.roles.disabled=true, ldap.connection.timeout=10000, ldap.url=ldap://ildc01:389/, ldap.usermembership.use.for.groups=true, ldap.referral=true, ldap.user.lastname=sn, ldap.userdn=CN=LDAPUSER,CN=Users,DC=office,DC=taboola,DC=com, ldap.pagedresults.size=999, ldap.group.name=cn, ldap.user.dn=ou=SBSUsers,ou=Users,ou=MyBusiness, com.atlassian.crowd.directory.sync.issynchronising=false, ldap.role.objectclass=group, ldap.user.password=unicodePwd}]
2011-12-26 19:19:22,899 http-8095-1 DEBUG [crowd.dao.directory.DirectoryDAOHibernate] Loaded object: com.atlassian.crowd.model.directory.DirectoryImpl$$EnhancerByCGLIB$$8ef82e02@431d0879[lowerName=il dc,description=Israeli office ActiveDirectory,type=CONNECTOR,implementationClass=com.atlassian.crowd.directory.MicrosoftActiveDirectory,allowedOperations=[UPDATE_GROUP, DELETE_GROUP, DELETE_USER, UPDATE_USER, CREATE_USER, CREATE_GROUP, UPDATE_USER_ATTRIBUTE, UPDATE_GROUP_ATTRIBUTE],attributes={ldap.read.timeout=120000, directory.cache.synchronise.interval=3600, ldap.role.name=cn, ldap.user.displayname=displayName, ldap.search.timelimit=60000, ldap.usermembership.use=true, ldap.role.description=description, ldap.group.objectclass=group, ldap.user.objectclass=user, ldap.pagedresults=true, ldap.group.description=description, ldap.user.firstname=givenName, com.atlassian.crowd.directory.sync.cache.enabled=true, crowd.sync.incremental.enabled=true, ldap.group.usernames=member, ldap.user.group=memberOf, ldap.role.dn=, ldap.user.filter=(&(objectCategory=Person)(sAMAccountName=*)), ldap.relaxed.dn.standardisation=true, ldap.password=********, ldap.secure=false, ldap.user.username.rdn=cn, ldap.role.usernames=member, com.atlassian.crowd.directory.sync.lastdurationms=641, ldap.group.filter=(objectCategory=Group), com.atlassian.crowd.directory.sync.laststartsynctime=1324916468479, ldap.nestedgroups.disabled=true, ldap.user.username=sAMAccountName, ldap.group.dn=ou=Security Groups,ou=MyBusiness, ldap.user.email=mail, ldap.basedn=dc=office,dc=taboola,dc=com, ldap.role.filter=(objectclass=group), ldap.roles.disabled=true, ldap.connection.timeout=10000, ldap.url=ldap://ildc01:389/, ldap.usermembership.use.for.groups=true, ldap.referral=true, ldap.user.lastname=sn, ldap.userdn=CN=LDAPUSER,CN=Users,DC=office,DC=taboola,DC=com, ldap.pagedresults.size=999, ldap.group.name=cn, ldap.user.dn=ou=SBSUsers,ou=Users,ou=MyBusiness, com.atlassian.crowd.directory.sync.issynchronising=false, ldap.role.objectclass=group, ldap.user.password=unicodePwd}]
2011-12-26 19:19:22,903 http-8095-1 DEBUG [crowd.console.filter.CrowdOpenSessionInViewFilter] Closing single Hibernate Session in OpenSessionInViewFilter
---------------8<-----------------------------------------

2 answers

1 accepted

1 vote
Answer accepted
Oded Arbel December 25, 2011

I figured out the problem - in Crowd you have to specifically allow each application to authenticate to each directory configured in Crowd. So to get the openidserver or Crowd console to auth against the ActiveDirectory, go to the Crowd console as the local administrator, click "Applications" and select the application you want to edit. Under the "Directories" tab add the ActiveDirectory you have configured and click "Update". You may also want to make sure that the "Allow All to Authenticate" flag is set to "True".

The reason JIRA could authenticate is that it was automatically configured to use all the directories because I created its configuration after I created the ActiveDirectory configuration. The other apps where created automatically by the installation - and before the ActiveDirectory connector was set up, so I had to configure them manually.

dibo zeng
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
February 8, 2013

i got the same problem, just update the ActiveDiectory, then everything works fine. Thanks a lot;

0 votes
Oded Arbel December 25, 2011

I've connected JIRA to the crowd directory and that works fine - users can authenticate and log in, but both the crowd signin and the openid signin reject users.

Titus
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 18, 2019

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events