I just upgraded from Confluence 3.3.1 to 3.5.13. In additional, LDAP authentication has moved from one domain to another. I had to change usernames because the sAMAccountName changes with the domain. The docs I follow was this: http://confluence.atlassian.com/display/DOC/Changing+Usernames
The problem I'm having is my users are now not automatically added to the confluence-users group. I had to manually add and grant an AD group in the Global Permissions page in order for users to use confluence.
Why am my users not automatically part of the confluence-users group? Is this related to my user search filter or group search filter? My users are able to authenticate and log in fine but can't use confluence because they're not part of the confluence-users group.
Snippet of atlassian-confluence.log
2012-03-13 14:26:51,788 WARN [http-0.0.0.0-8081-5] [directory.ldap.mapper.UserContextMapper] mapFromContext Failed to map attribute <uSNChanged> from context with DN <cn=Tom Luong,ou=fte,ou=associates,ou=users,ou=gec,dc=corp,dc=domain,dc=com>
-- referer: https://confluence.test.domain.com/authenticate.action?destination=/admin/console.action | url: /doauthenticate.action | userName: tluong | action: doauthenticate
I tried manually adding a users to the confluence-users group in Manage Groups page and it fails with the following message.
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=GEC,DC=corp,DC=domain,DC=com'
^@]; remaining name 'OU=GROUP,OU=GEC,DC=homeoffice,DC=domain,DC=com'
Thanks in advance for any help.
Hey Tom,
Depending on the style of LDAP integration you have chosen, LDAP users are not automatically added to any internal Confluence groups.
If your integration type is "Read Only" or "Read/Write" you will need to add a "confluence-users" group to your Active Directory tree, and then add your AD users to that group. Alternatively, if you have another group in your tree that already has all the necessary users as members, you can add this group to Confluence's global permissions.
If your integration type is "Read Only With Local Groups" then you can configure the "Default Group Memberships" section of the configuration to automatically add all users to the confluence-users group.
Hi Joseph,
I looked by at our production Confluence setup still running 3.3.1 and it doesn't have User Directories where you can setup LDAP permissions like you stated above, "Read Only, Read Only w/ Local Group, or Read/Write". My test box running Confluence 3.5.13 does have that and it's set to "Read Only w/ Local Group."
I don't have a "confluence-users" group in AD. What's baffling to me is the Confluence 3.3.1 does have AD users populated in the local "confluence-users" group but Confluence 3.5.13 with "Read Only w/ Local Group" has "confluence-users" as the default local group has no AD users.
Have I misconfigured something?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ah, my bad - my descriptions do indeed only apply to Confluence 3.5 and newer, which is when we implemented improved LDAP support.
For your 3.5 instance, you need to specifically configure "confluence-users" as the default group membership for the LDAP directory (see http://confluence.atlassian.com/display/DOC/Connecting+to+an+LDAP+Directory#ConnectingtoanLDAPDirectory-AddingUserstoGroupsAutomatically) - it doesn't happen automatically.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Joseph Clark. You rule. This just saved me.
If your integration type is "Read Only" or "Read/Write" you will need to add a "confluence-users" group to your Active Directory tree, and then add your AD users to that group. Alternatively, if you have another group in your tree that already has all the necessary users as members, you can add this group to Confluence's global permissions.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If your integration type is "Read Only With Local Groups" then you can configure the "Default Group Memberships" section of the configuration to automatically add all users to the confluence-users group.
Have that integration but if i go to co fluence-users group i dont see much users there only users that i manually added tk thay group... if lets say i seach an ad user and check its membership, users retain all ad permissions/groups but confluence-users group was not added to the users
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I can easily add this group, and have done so. However, there should be some commonality accros products here. Groups can be automagically addded by the embedded crowd in confluence, but not for a standalone crowd. As there are several dozen groups here, bother historic ldap and later confluence additions, it would be much easier to have the auto-add-to-group feature in the standalone crowd.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ah, I understand. Sorry for my earlier confusion - I actually didn't know that standalone Crowd lacked the default group memberships feature of the embedded version.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We're doing auth via delegated LDAP via Crowd and have the same issue, however there's no default group membership to be added in the Crowd connector config screen. We can add a default group in Crowd, but of course there's no confluence-users group to add there. I really would prefer not to hack about my auth directory further, or fiddle about with user perms via an alternative ldap group for confluence.
Back in 3.4.x, you could automatically add users to confluence-users on login, but in 3.5 with the new directory handling that's gone. I see a lot of thought and effort have gone into the issues at https://jira.atlassian.com/browse/CONF-24279 and https://jira.atlassian.com/browse/CONF-24358, but again I really don't want to get into the habit of building a frankenwiki again.
This definitely seems like an oversighty in the interaction between Confluence and Crowd. Whilst I can, if absolutely needed, hack about with my directory and group perms, not all admins would have that luxury.
Thoughts welcome.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Rob,
Could you clarify your situation in some more detail? Trying to understand your setup.
So you have an external LDAP directory and this is connected to a standalone Crowd install using delegated authentication, and then Confluence is connecting to the Crowd directory?
In this case, you will need to handle all the group management for Confluence within Crowd, right? Why can't you add the "confluence-users" group as a default group in Crowd?
Sorry if I've misunderstood your setup.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Meet the engineers who are making the Confluence magic happen at Atlassian ✨
RSVP now!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.