We've set up a Confluence (3.5.3) instance connected to Active Directory. Active Directory is configured as read only with local groups. The default group membership is set to 'confluence-users'.
The base dn is: OU=Customer,dc=hs,dc=local
The LDAP sub-dn under which the users are stored is: OU=Default Users,OU=Users
The LDAP sub-dn under which inactive users are stored is: OU=Inactive Users,OU=Users
Now the client reports an issue with the users shown in the Confluence user list. After moving a user to the dn with inactive users, they can still find the user in Confluence. The change in AD is done from outside Confluence.
It seems that Confluence doesn't update its internal indexes correctly with the changed situation from AD. Any solutions?
The answer from support:
Yes, removing the user from AD does remove the user from Confluence's database (cwd_user table), and hence, removes his/her account from the ConfluenceAdmin >> Manage Users screen. The People Directory however, works differently. The moment the user is removed from AD, we can of course, remove the user from the cwd_user table, but for tracking purpose, we left the user in the Content table, which is where the People Directory fetches its inputs from, and hence, the user is still displayed in People Directory. But if you check in Confluence Admin >> Manage Users, the user is already gone, and will no longer be counted against your Confluence license.
This is actually raised as a bug here: https://jira.atlassian.com/browse/CONF-11467 , which describes your issue perfectly.
Quote from the Bug Report that describes your issue perfectly:
Now once you delete a user in LDAP/Jira or your external usermanagement, it will disappear from confluence user management, i.e. Searching Administration > Manage users will not find that user, however their userinfo still exists in the content table. When populating the people directory, confluence searches the CONTENT table pulling out all the people who have USERINFO rows in the table. However when it tries to display the person, it can't because the user no longer exists. If you have a number of these it can cause the display of people to be wierd (i.e. not displaying the same amount of users when clicking on next or previous when searching through the people directory) or in extreme cases it can cause the people directory to be empty.
The workaround provided in the bug report is very similar to the one I provided earlier, with the exception that my DELETE statement references the contentid directly from the output of the SELECT statement, which is more direct.
As of now, this bug is still not fixed, but do feel free to add yourself as a watcher to the bug report to be informed of updates. Of course, the only workaround you can do for now would be the database method to remove the USERINFO contents.
We do have the same problem. We moved an user to a different ou within the directory and the user can't log on anymore. The message in the log states: "... tried to login but they do not have USE permission or weren't found. Deleting remember me cookie." (WARN)
Version is Confluence 3.5.9
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.