Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Confluence account can not login question

Anderson Hsu
Anderson Hsu October 23, 2017

Dear Partners, 

We have one ldap account named guyen thi bich hang , he can login operating system but he can not use ldap account to login confluence, it always showed his account and password is wrong. What happen to the account? Thanks a lot.

 

 

login confluence message

login.jpg

Answer
Watch
Like Be the first to like this
2167 views

3 answers

2 votes
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 6, 2017

The account from your screen shot is from the User Directory called:

Active Directory Server - F

As it says in Managing Multiple Directories :

The directory order is significant during the authentication of the user, in cases where the same user exists in multiple directories. When a user attempts to log in, the application will search the directories in the order specified, and will use the credentials (password) of the first occurrence of the user to validate the login attempt.

In order for the user to log in from the correct LDAP directory, the directory the desired user account is in must be above the one called Active Directory Server - F in the Confluence Admin>User Directories list or else the duplicate user must be removed from Active Directory Server - F. The latter course is recommended.

The user cannot be removed from Confluence directly, it will have to be removed either from the LDAP directory (using Active Directory Users and Computers or a similar tool) or removed from the scope of the LDAP search as configured at Confluence Admin>User Directories. The scope of the search is a combination of the base DN, user DN and user filter.

Please let me know any follow up questions.

View More Comments
Anderson Hsu
Anderson Hsu November 16, 2017

Dear Ann, 

Thanks for your kindly reply. My situation is as listed as below:

We have duplication account which is from different domain as shown as below:

Nguyen Hang@dv ( gyyen Th Bich Han)

Nguyen Hang@do ( gyyen Th Bich Han)---> It's the collect account

But I remember confluence will get the first record when the account is duplicate. I have also use user filter to get Nguyen Hang@do ( gyyen Th Bich Han) , but he still can not login .

Best Regards, Anderson Hsu

Like
Reply
0 votes
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 17, 2017

As you mentioned, as long as there is an account with the same user name in another directory that is higher in the list displayed on Confluence Admin>User Directories then the user in the lower directory will not be able to log in. Our documentation describes it:

When a user attempts to log in, the application will search the directories in the order specified, and will use the credentials (password) of the first occurrence of the user to validate the login attempt.

I am not sure what you meant when you said you used a user filter to get the user - if we need to use a filter it would be to filter out the user in the higher directory. If that user (Nguyen Hang@dv) could be removed from LDAP or renamed in LDAP that would also allow the lower directory user (Nguyen Hang@do) with the same name to log in. 

Another way to log in the user in the lower directory would be to move that directory that he is in to the higher position on the Confluence Admin>User Directories page, using the arrows in the list.

If we need both users to log in and neither can be renamed or removed, then we need to use another (unique) attribute (like email) for the username. This would be a big change you would need to test and communicate to your users.

There are some good examples and screenshots in this guide: Managing Multiple Directories

View More Comments
Anderson Hsu
Anderson Hsu November 19, 2017

Dear Ann, 

I use filter function as listed as below. But It can not filter the right account. Is there suggestion about filter setting ? Thanks a lot.

filter.jpg

Like
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 20, 2017

To filter out a user, please use the ! sign as described in How to write LDAP search filters under Using 'not'.

If you were to add one user to the user filter without the ! sign it could potentially filter out every user except the one you specify.

The LDAP filter will not accept the AD name in the format domain\username (do\guyen th bich han). The entire distinguished name is necessary to specify the user. Please see: Distinguished Names.

You can find the user's distinguished name in Active Directory Users and Computers when you view the properties of the user under the object tab. If you don't have access to AD then the AD administrator should be able to provide you the distinguished name.

Like
Anderson Hsu
Anderson Hsu November 28, 2017

Dear Ann, 

Thanks for your kindly assistance.

Best Regards, Anderson Hsu

Like
Reply
0 votes
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 3, 2017

It is hard to speculate as to why the user cannot log into Confluence using their LDAP credentials. Since you expect those credentials to work, I assume that other users can log in with their LDAP username and password.

If you check the <confluence_home>logs/atlassian-confluence,log for the entries when he was denied login, you may find an informative error.

  • Please review Managing Multiple Directories for more details on how user management works for Confluence. Based on that article, please describe your user management setup, i.e. whether you have multiple user directories and whether they are connector or delegated, etc.
  • Please let me know if this user was previously able to use his LDAP credentials to log into Confluence.

Without more information, I am only guessing, but one possible scenario is  that there is a user with the same name in a User Directory higher in the User Directory list than the LDAP directory he is in, and that user has a different password.

View More Comments
Anderson Hsu
Anderson Hsu November 5, 2017

Dear Ann, 

Thanks for your kindly reply. We found the successful login record in his profile information, but I think it's duplicate account from another domain. 

account2.jpgI have ever try to add the account in global permission setting, but it still can not successful to login . How can we delete previous the same account  record which it's maybe from another domain record.

Best Regards, Anderson Hsu

Like
Anderson Hsu
Anderson Hsu November 5, 2017

Additional information:I found error message for the account 

2017-11-05 21:17:19,458 WARN [http-nio-8090-exec-30] [atlassian.seraph.auth.DefaultAuthenticator] login login : 'guyen th bich han' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events