We have one ldap account named guyen thi bich hang , he can login operating system but he can not use ldap account to login confluence, it always showed his account and password is wrong. What happen to the account? Thanks a lot.
login confluence message
It is hard to speculate as to why the user cannot log into Confluence using their LDAP credentials. Since you expect those credentials to work, I assume that other users can log in with their LDAP username and password.
If you check the <confluence_home>logs/atlassian-confluence,log for the entries when he was denied login, you may find an informative error.
Without more information, I am only guessing, but one possible scenario is that there is a user with the same name in a User Directory higher in the User Directory list than the LDAP directory he is in, and that user has a different password.
Thanks for your kindly reply. We found the successful login record in his profile information, but I think it's duplicate account from another domain.
I have ever try to add the account in global permission setting, but it still can not successful to login . How can we delete previous the same account record which it's maybe from another domain record.
Best Regards, Anderson Hsu
Additional information:I found error message for the account
2017-11-05 21:17:19,458 WARN [http-nio-8090-exec-30] [atlassian.seraph.auth.DefaultAuthenticator] login login : 'guyen th bich han' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
The account from your screen shot is from the User Directory called:
Active Directory Server - F
As it says in Managing Multiple Directories :
The directory order is significant during the authentication of the user, in cases where the same user exists in multiple directories. When a user attempts to log in, the application will search the directories in the order specified, and will use the credentials (password) of the first occurrence of the user to validate the login attempt.
In order for the user to log in from the correct LDAP directory, the directory the desired user account is in must be above the one called Active Directory Server - F in the Confluence Admin>User Directories list or else the duplicate user must be removed from Active Directory Server - F. The latter course is recommended.
The user cannot be removed from Confluence directly, it will have to be removed either from the LDAP directory (using Active Directory Users and Computers or a similar tool) or removed from the scope of the LDAP search as configured at Confluence Admin>User Directories. The scope of the search is a combination of the base DN, user DN and user filter.
Please let me know any follow up questions.
Thanks for your kindly reply. My situation is as listed as below:
We have duplication account which is from different domain as shown as below:
Nguyen Hang@dv ( gyyen Th Bich Han)
Nguyen Hang@do ( gyyen Th Bich Han)---> It's the collect account
But I remember confluence will get the first record when the account is duplicate. I have also use user filter to get Nguyen Hang@do ( gyyen Th Bich Han) , but he still can not login .
Best Regards, Anderson Hsu
As you mentioned, as long as there is an account with the same user name in another directory that is higher in the list displayed on Confluence Admin>User Directories then the user in the lower directory will not be able to log in. Our documentation describes it:
When a user attempts to log in, the application will search the directories in the order specified, and will use the credentials (password) of the first occurrence of the user to validate the login attempt.
I am not sure what you meant when you said you used a user filter to get the user - if we need to use a filter it would be to filter out the user in the higher directory. If that user (Nguyen Hang@dv) could be removed from LDAP or renamed in LDAP that would also allow the lower directory user (Nguyen Hang@do) with the same name to log in.
Another way to log in the user in the lower directory would be to move that directory that he is in to the higher position on the Confluence Admin>User Directories page, using the arrows in the list.
If we need both users to log in and neither can be renamed or removed, then we need to use another (unique) attribute (like email) for the username. This would be a big change you would need to test and communicate to your users.
There are some good examples and screenshots in this guide: Managing Multiple Directories
To filter out a user, please use the ! sign as described in How to write LDAP search filters under Using 'not'.
If you were to add one user to the user filter without the ! sign it could potentially filter out every user except the one you specify.
The LDAP filter will not accept the AD name in the format domain\username (do\guyen th bich han). The entire distinguished name is necessary to specify the user. Please see: Distinguished Names.
You can find the user's distinguished name in Active Directory Users and Computers when you view the properties of the user under the object tab. If you don't have access to AD then the AD administrator should be able to provide you the distinguished name.
Hello Community, Jessica here from the Confluence product marketing team! Today I wanted to get your takes on project planning –– what works, what doesn’t, how do you know if you’re doing it r...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs