Confluence account can not login question Edited

Dear Partners, 

We have one ldap account named guyen thi bich hang , he can login operating system but he can not use ldap account to login confluence, it always showed his account and password is wrong. What happen to the account? Thanks a lot.

 

 

login confluence message

login.jpg

3 answers

0 vote
Ann Worley Atlassian Team Nov 03, 2017

It is hard to speculate as to why the user cannot log into Confluence using their LDAP credentials. Since you expect those credentials to work, I assume that other users can log in with their LDAP username and password.

If you check the <confluence_home>logs/atlassian-confluence,log for the entries when he was denied login, you may find an informative error.

  • Please review Managing Multiple Directories for more details on how user management works for Confluence. Based on that article, please describe your user management setup, i.e. whether you have multiple user directories and whether they are connector or delegated, etc.
  • Please let me know if this user was previously able to use his LDAP credentials to log into Confluence.

Without more information, I am only guessing, but one possible scenario is  that there is a user with the same name in a User Directory higher in the User Directory list than the LDAP directory he is in, and that user has a different password.

Dear Ann, 

Thanks for your kindly reply. We found the successful login record in his profile information, but I think it's duplicate account from another domain. 

account2.jpgI have ever try to add the account in global permission setting, but it still can not successful to login . How can we delete previous the same account  record which it's maybe from another domain record.

Best Regards, Anderson Hsu

Additional information:I found error message for the account 

2017-11-05 21:17:19,458 WARN [http-nio-8090-exec-30] [atlassian.seraph.auth.DefaultAuthenticator] login login : 'guyen th bich han' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

0 vote
Ann Worley Atlassian Team Nov 06, 2017

The account from your screen shot is from the User Directory called:

Active Directory Server - F

As it says in Managing Multiple Directories :

The directory order is significant during the authentication of the user, in cases where the same user exists in multiple directories. When a user attempts to log in, the application will search the directories in the order specified, and will use the credentials (password) of the first occurrence of the user to validate the login attempt.

In order for the user to log in from the correct LDAP directory, the directory the desired user account is in must be above the one called Active Directory Server - F in the Confluence Admin>User Directories list or else the duplicate user must be removed from Active Directory Server - F. The latter course is recommended.

The user cannot be removed from Confluence directly, it will have to be removed either from the LDAP directory (using Active Directory Users and Computers or a similar tool) or removed from the scope of the LDAP search as configured at Confluence Admin>User Directories. The scope of the search is a combination of the base DN, user DN and user filter.

Please let me know any follow up questions.

Dear Ann, 

Thanks for your kindly reply. My situation is as listed as below:

We have duplication account which is from different domain as shown as below:

Nguyen Hang@dv ( gyyen Th Bich Han)

Nguyen Hang@do ( gyyen Th Bich Han)---> It's the collect account

But I remember confluence will get the first record when the account is duplicate. I have also use user filter to get Nguyen Hang@do ( gyyen Th Bich Han) , but he still can not login .

Best Regards, Anderson Hsu

0 vote
Ann Worley Atlassian Team Nov 17, 2017

As you mentioned, as long as there is an account with the same user name in another directory that is higher in the list displayed on Confluence Admin>User Directories then the user in the lower directory will not be able to log in. Our documentation describes it:

When a user attempts to log in, the application will search the directories in the order specified, and will use the credentials (password) of the first occurrence of the user to validate the login attempt.

I am not sure what you meant when you said you used a user filter to get the user - if we need to use a filter it would be to filter out the user in the higher directory. If that user (Nguyen Hang@dv) could be removed from LDAP or renamed in LDAP that would also allow the lower directory user (Nguyen Hang@do) with the same name to log in. 

Another way to log in the user in the lower directory would be to move that directory that he is in to the higher position on the Confluence Admin>User Directories page, using the arrows in the list.

If we need both users to log in and neither can be renamed or removed, then we need to use another (unique) attribute (like email) for the username. This would be a big change you would need to test and communicate to your users.

There are some good examples and screenshots in this guide: Managing Multiple Directories

Dear Ann, 

I use filter function as listed as below. But It can not filter the right account. Is there suggestion about filter setting ? Thanks a lot.

filter.jpg

Ann Worley Atlassian Team Nov 20, 2017

To filter out a user, please use the ! sign as described in How to write LDAP search filters under Using 'not'.

If you were to add one user to the user filter without the ! sign it could potentially filter out every user except the one you specify.

The LDAP filter will not accept the AD name in the format domain\username (do\guyen th bich han). The entire distinguished name is necessary to specify the user. Please see: Distinguished Names.

You can find the user's distinguished name in Active Directory Users and Computers when you view the properties of the user under the object tab. If you don't have access to AD then the AD administrator should be able to provide you the distinguished name.

Dear Ann, 

Thanks for your kindly assistance.

Best Regards, Anderson Hsu

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Apr 13, 2018 in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

2,603 views 25 10
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you