Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Why are my AD LDAP users not automatically added to the confluence-users group?

Tom Luong
Tom Luong March 13, 2012

I just upgraded from Confluence 3.3.1 to 3.5.13. In additional, LDAP authentication has moved from one domain to another. I had to change usernames because the sAMAccountName changes with the domain. The docs I follow was this: http://confluence.atlassian.com/display/DOC/Changing+Usernames

The problem I'm having is my users are now not automatically added to the confluence-users group. I had to manually add and grant an AD group in the Global Permissions page in order for users to use confluence.

Why am my users not automatically part of the confluence-users group? Is this related to my user search filter or group search filter? My users are able to authenticate and log in fine but can't use confluence because they're not part of the confluence-users group.

Snippet of atlassian-confluence.log

2012-03-13 14:26:51,788 WARN [http-0.0.0.0-8081-5] [directory.ldap.mapper.UserContextMapper] mapFromContext Failed to map attribute <uSNChanged> from context with DN <cn=Tom Luong,ou=fte,ou=associates,ou=users,ou=gec,dc=corp,dc=domain,dc=com>
-- referer: https://confluence.test.domain.com/authenticate.action?destination=/admin/console.action | url: /doauthenticate.action | userName: tluong | action: doauthenticate

I tried manually adding a users to the confluence-users group in Manage Groups page and it fails with the following message.

Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=GEC,DC=corp,DC=domain,DC=com'
^@]; remaining name 'OU=GROUP,OU=GEC,DC=homeoffice,DC=domain,DC=com'

Thanks in advance for any help.

Answer
Watch
Like Be the first to like this
3412 views

3 answers

1 accepted

4 votes
Answer accepted
Joe Clark
Joe Clark
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 14, 2012

Hey Tom,

Depending on the style of LDAP integration you have chosen, LDAP users are not automatically added to any internal Confluence groups.

If your integration type is "Read Only" or "Read/Write" you will need to add a "confluence-users" group to your Active Directory tree, and then add your AD users to that group. Alternatively, if you have another group in your tree that already has all the necessary users as members, you can add this group to Confluence's global permissions.

If your integration type is "Read Only With Local Groups" then you can configure the "Default Group Memberships" section of the configuration to automatically add all users to the confluence-users group.

View More Comments
Tom Luong
Tom Luong March 15, 2012

Hi Joseph,

I looked by at our production Confluence setup still running 3.3.1 and it doesn't have User Directories where you can setup LDAP permissions like you stated above, "Read Only, Read Only w/ Local Group, or Read/Write". My test box running Confluence 3.5.13 does have that and it's set to "Read Only w/ Local Group."

I don't have a "confluence-users" group in AD. What's baffling to me is the Confluence 3.3.1 does have AD users populated in the local "confluence-users" group but Confluence 3.5.13 with "Read Only w/ Local Group" has "confluence-users" as the default local group has no AD users.

Have I misconfigured something?

Like
Joe Clark
Joe Clark
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 18, 2012

Ah, my bad - my descriptions do indeed only apply to Confluence 3.5 and newer, which is when we implemented improved LDAP support.

For your 3.5 instance, you need to specifically configure "confluence-users" as the default group membership for the LDAP directory (see http://confluence.atlassian.com/display/DOC/Connecting+to+an+LDAP+Directory#ConnectingtoanLDAPDirectory-AddingUserstoGroupsAutomatically) - it doesn't happen automatically.

Like
Tom Luong
Tom Luong March 19, 2012

Ahh, Thanks Joseph

Like
Joe Clark
Joe Clark
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 19, 2012

No problem :)

Like
Adam Saint-Prix
Adam Saint-Prix
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 31, 2012

Joseph Clark. You rule. This just saved me.

If your integration type is "Read Only" or "Read/Write" you will need to add a "confluence-users" group to your Active Directory tree, and then add your AD users to that group. Alternatively, if you have another group in your tree that already has all the necessary users as members, you can add this group to Confluence's global permissions.

Like
MARK RYAN DAYANGHIRANG
MARK RYAN DAYANGHIRANG April 25, 2020

If your integration type is "Read Only With Local Groups" then you can configure the "Default Group Memberships" section of the configuration to automatically add all users to the confluence-users group.

 

Have that integration but if i go to co fluence-users group i dont see much users there only users that i manually added tk thay group... if lets say i seach an ad user and check its membership, users retain all ad permissions/groups but confluence-users group was not added to the users

Like
Reply
0 votes
aarnetadmin
aarnetadmin
Contributor
May 29, 2012

I can easily add this group, and have done so. However, there should be some commonality accros products here. Groups can be automagically addded by the embedded crowd in confluence, but not for a standalone crowd. As there are several dozen groups here, bother historic ldap and later confluence additions, it would be much easier to have the auto-add-to-group feature in the standalone crowd.

View More Comments
Joe Clark
Joe Clark
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 4, 2012

Ah, I understand. Sorry for my earlier confusion - I actually didn't know that standalone Crowd lacked the default group memberships feature of the embedded version.

Like
Reply
0 votes
aarnetadmin
aarnetadmin
Contributor
May 18, 2012

We're doing auth via delegated LDAP via Crowd and have the same issue, however there's no default group membership to be added in the Crowd connector config screen. We can add a default group in Crowd, but of course there's no confluence-users group to add there. I really would prefer not to hack about my auth directory further, or fiddle about with user perms via an alternative ldap group for confluence.

Back in 3.4.x, you could automatically add users to confluence-users on login, but in 3.5 with the new directory handling that's gone. I see a lot of thought and effort have gone into the issues at https://jira.atlassian.com/browse/CONF-24279 and https://jira.atlassian.com/browse/CONF-24358, but again I really don't want to get into the habit of building a frankenwiki again.

This definitely seems like an oversighty in the interaction between Confluence and Crowd. Whilst I can, if absolutely needed, hack about with my directory and group perms, not all admins would have that luxury.

Thoughts welcome.

View More Comments
Joe Clark
Joe Clark
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 20, 2012

Hi Rob,

Could you clarify your situation in some more detail? Trying to understand your setup.

So you have an external LDAP directory and this is connected to a standalone Crowd install using delegated authentication, and then Confluence is connecting to the Crowd directory?

In this case, you will need to handle all the group management for Confluence within Crowd, right? Why can't you add the "confluence-users" group as a default group in Crowd?

Sorry if I've misunderstood your setup.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
atlassian, atlassian community events, ace, engineering, confluence feed, power of feed, atlassian ask me anything, atlassian confluence answers, ace rsvp, atlassian community events rsvp, atlassian magic

“How We Built This” ft. Atlassian Confluence Engineers

Meet the engineers who are making the Confluence magic happen at Atlassian ✨

RSVP now!
AUG Leaders

Upcoming Confluence Events