2022-05-20 11:27:45,353 ERROR [Caesium-1-2] [engine.jdbc.spi.SqlExceptionHelper] logExceptions ERROR: invalid byte sequence for encoding "UTF8" : 0x00 2022-05-20 11:27:45,353 ERROR [Caesium-1-2] [org.hibernate.internal.ExceptionMapperStandardImpl] mapManagedFlushFailure HHH000346: Error during managed flush [org.hibernate.exception.DataException: could not execute statement] 2022-05-20 11:27:45,354 WARN [Caesium-1-2] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doCommit Commit failed. Rolling back. Error: Hibernate operation: could not execute statement; ERROR: invalid byte sequence for encoding "UTF8" : 0x00; nested exception is org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding "UTF8" : 0x00 2022-05-20 11:27:45,354 WARN [Caesium-1-2] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions: ->[PluginReadWriteTx]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #1508402677)

Steps to Reproduce

Install Confluence with Postgres database server

Integrate Confluence with LDAP (e.g. tested with Active Directory)

Configure the Additional User DN and/or Additional Group DN that (incorrectly) includes the Base DN, e.g.

Base DN : dc=mycompany,dc=com

Additional User DN : ou=users,dc=mycompany,dc=com

Additional Group DN : ou=groups,dc=mycompany,dc=com

Expected Results

LDAP should sync should fail with the LDAP exception thrown into the atlassian-confluence.log .

In Confluence 7.10 and earlier , the LDAP exception is thrown in the atlassian-confluence.log :

2022-05-23 19:39:27,700 INFO [Caesium-1-1] [atlassian.crowd.directory.DbCachingRemoteDirectory] synchroniseCache failed synchronisation complete for directory [ 294914 ] in [ 124ms ] 2022-05-23 19:39:27,711 ERROR [Caesium-1-1] [atlassian.crowd.directory.DbCachingDirectoryPoller] pollChanges Error occurred while refreshing the cache for directory [ 294914 ]. -- referer: http: //localhost:6740/c740/setup/setupdata-start.action | url: /c740/setup/setupdata.action | traceId: 2e96430ef7dcb9cc | userName: anonymous | action: setupdata com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310023C, problem 2001 (NO_OBJECT), data 0, best match of: 'dc=mycompany,dc=com' ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310023C, problem 2001 (NO_OBJECT), data 0, best match of: 'dc=mycompany,dc=com' ]; remaining name 'OU=people,dc=mycompany,dc=com,dc=mycompany,dc=com' at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAllUsers(UsnChangedCacheRefresher.java:180) at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:50) at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:150) at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:978) at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:67) at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:45) at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJobRunner.runJob(DirectoryPollerJobRunner.java:85) at com.atlassian.confluence.impl.schedule.caesium.JobRunnerWrapper.doRunJob(JobRunnerWrapper.java:117) at com.atlassian.confluence.impl.schedule.caesium.JobRunnerWrapper.lambda$runJob$0(JobRunnerWrapper.java:87) at com.atlassian.confluence.impl.vcache.VCacheRequestContextManager.doInRequestContextInternal(VCacheRequestContextManager.java:84) at com.atlassian.confluence.impl.vcache.VCacheRequestContextManager.doInRequestContext(VCacheRequestContextManager.java:68) at com.atlassian.confluence.impl.schedule.caesium.JobRunnerWrapper.runJob(JobRunnerWrapper.java:87) at com.atlassian.scheduler.core.JobLauncher.runJob(JobLauncher.java:134) at com.atlassian.scheduler.core.JobLauncher.launchAndBuildResponse(JobLauncher.java:106) at com.atlassian.scheduler.core.JobLauncher.launch(JobLauncher.java:90) at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.launchJob(CaesiumSchedulerService.java:435) at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeLocalJob(CaesiumSchedulerService.java:402) at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeQueuedJob(CaesiumSchedulerService.java:380) at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.executeJob(SchedulerQueueWorker.java:66) at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.executeNextJob(SchedulerQueueWorker.java:60) at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.run(SchedulerQueueWorker.java:35) at java.lang. Thread .run( Thread .java:748) Caused by: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310023C, problem 2001 (NO_OBJECT), data 0, best match of: 'dc=mycompany,dc=com' ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310023C, problem 2001 (NO_OBJECT), data 0, best match of: 'dc=mycompany,dc=com' ]; remaining name 'OU=people,dc=mycompany,dc=com,dc=mycompany,dc=com' at java.util.concurrent.FutureTask.report(FutureTask.java:122) at java.util.concurrent.FutureTask.get(FutureTask.java:192) at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAllUsers(UsnChangedCacheRefresher.java:168) ... 21 more Caused by: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310023C, problem 2001 (NO_OBJECT), data 0, best match of: 'dc=mycompany,dc=com' ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310023C, problem 2001 (NO_OBJECT), data 0, best match of: 'dc=mycompany,dc=com' ]; remaining name 'OU=people,dc=mycompany,dc=com,dc=mycompany,dc=com' at com.atlassian.crowd.directory.SpringLDAPConnector.pageSearchResults(SpringLDAPConnector.java:398) at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntitiesWithRequestControls(SpringLDAPConnector.java:431) at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntities(SpringLDAPConnector.java:415) at com.atlassian.crowd.directory.SpringLDAPConnector.searchUserObjects(SpringLDAPConnector.java:603) at com.atlassian.crowd.directory.SpringLDAPConnector.searchUsers(SpringLDAPConnector.java:941) at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher$2.call(UsnChangedCacheRefresher.java:128) at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher$2.call(UsnChangedCacheRefresher.java:124) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ... 1 more Caused by: org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310023C, problem 2001 (NO_OBJECT), data 0, best match of: 'dc=mycompany,dc=com' ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310023C, problem 2001 (NO_OBJECT), data 0, best match of: 'dc=mycompany,dc=com' ]; remaining name 'OU=people,dc=mycompany,dc=com,dc=mycompany,dc=com' at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:183) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:376) at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$3.timedCall(SpringLdapTemplateWrapper.java:195) at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$3.timedCall(SpringLdapTemplateWrapper.java:192) at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$TimedCallable.call(SpringLdapTemplateWrapper.java:130) at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.invokeWithContextClassLoader(SpringLdapTemplateWrapper.java:100) at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.search(SpringLdapTemplateWrapper.java:192) at com.atlassian.crowd.directory.SpringLDAPConnector.pageSearchResults(SpringLDAPConnector.java:370) ... 10 more Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310023C, problem 2001 (NO_OBJECT), data 0, best match of: 'dc=mycompany,dc=com' ]; remaining name 'OU=people,dc=mycompany,dc=com,dc=mycompany,dc=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3179) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1846) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:276) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.ldap.transaction.compensating.manager.TransactionAwareDirContextInvocationHandler.invoke(TransactionAwareDirContextInvocationHandler.java:90) at com.sun.proxy.$Proxy3033.search(Unknown Source) at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$3.lambda$timedCall$0(SpringLdapTemplateWrapper.java:194) at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:363) ... 16 more

Actual Results

In the affected Confluence versions, the LDAP sync fails with a very unrelated failure:

2022-05-20 11:27:45,353 ERROR [Caesium-1-2] [engine.jdbc.spi.SqlExceptionHelper] logExceptions ERROR: invalid byte sequence for encoding "UTF8" : 0x00 2022-05-20 11:27:45,353 ERROR [Caesium-1-2] [org.hibernate.internal.ExceptionMapperStandardImpl] mapManagedFlushFailure HHH000346: Error during managed flush [org.hibernate.exception.DataException: could not execute statement] 2022-05-20 11:27:45,354 WARN [Caesium-1-2] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doCommit Commit failed. Rolling back. Error: Hibernate operation: could not execute statement; ERROR: invalid byte sequence for encoding "UTF8" : 0x00; nested exception is org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding "UTF8" : 0x00 2022-05-20 11:27:45,354 WARN [Caesium-1-2] [confluence.impl.hibernate.ConfluenceHibernateTransactionManager] doRollback Performing rollback. Transactions: ->[PluginReadWriteTx]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT (Session #1508402677)

These additional debug does not help to show the LDAP exception due to the above database exception being thrown:

com.atlassian.crowd

com.atlassian.crowd.directory

SQL Logging

Workaround

Review the configured LDAP filter entries are correctly configured as per Confluence Documentation: Connecting to an LDAP Directory :

Base DN The root distinguished name (DN) to use when running queries against the directory server. Examples:

o=example,c=com

cn=users,dc=ad,dc=example,dc=com

For Microsoft Active Directory, specify the base DN in the following format: dc=domain1,dc=local. You will need to replace the domain1 and local for your specific configuration. Microsoft Server provides a tool called ldp.exe which is useful for finding out and configuring the the LDAP structure of your server.

Additional User DN This value is used in addition to the base DN when searching and loading users. If no value is supplied, the subtree search will start from the base DN. Example:

ou=Users

Additional Group DN This value is used in addition to the base DN when searching and loading groups. If no value is supplied, the subtree search will start from the base DN. Example:

ou=Groups

Additional Reference : How to write LDAP search filters

To "see" the LDAP exception returned from external AD:

Setup the exact same User Directory configuration in a temporary Crowd instance (or install Crowd with an evaluation license)

Crowd will propagate the LDAP exception in the atlassian-crowd.log file to assist with the troubleshooting

Once the User Directory configuration is corrected and syncing successfully on Crowd, apply the same User Directory configuration settings on Confluence