In Confluence we have always used LDAP authentication, but used Confluence's internal groups for authorization. Due to organizational reasons, we have two LDAP directories defined; most users exist in one of those directories, the others in the other. When using OSUser.xsml in version 3.2, this setup worked fine: we had both directories defined in osuser.xml (along with the internal Confluence authenticator), and when a user was created in Confluence, they were not associated with any particular directory; they were sert up internally, and when logging in would be authenticated against the directories in turn. If the first LDAP directory did not have that user the second one would be tried, and would work.
However, after upgrading to Confluence 4.3.5, using multiple directories no longer works, since now each user appears to be associated with a particular directory (the first one in the directory order). This means that if a user that exists only in the second defined LDAP directory gets added, they cannot login, since their user profile assumes they belong to the first one. In looking at the user profile, it appears that the directory field is not editable.
Is there some alternative way to associate a user with a specific directory on creation or later, or is this a setup that only worked using OSUser?
I haven't been able to find any information about how to select in which directory a user gets created, so will have to conclude that at this time that we'll have to manually edit the database in case a user needs to be authenticated against the second configured LDAP directory. I would definitely be keen to see this changed in future versions; thankfully we have only a few users in the second directory, but of course we'd like to stay away from direct database edits in any event.
There might be some issue with configuration if that's the case. If there are two directory, Confluence will check on the first directory if that user exist, if he doesn't Confluence should look on the second directory, and so on based on the sequence. If the user can't log in, most probably the user exist on the first directory with different credential. Perhaps you could try to check with your LDAP administrator to see if the user exist on the first directory as well.
Hope it helps.
Thanks for the insight! The users definitely only exists in one LDAP directory (both directories are AD and we use sAMAccountName as user name in one and userPrincipalName in the other; these fields are structured differently in the directories, so there is no overlap of users.
The issue seems to be that in 4.5.3 (or any version no longer using OSUser, it seems that each user gets associated with a specific directory. While when we upgraded to this version we directly updated the database to associate each user with the correct directory. However, when new users are created in Confluence, it appears that they get associated with the first directory by default (CWD_USER.DIRECTORY_ID for the user is that of the first directory), even though the user does not exist in that directory. There appears to be no way in the app of instead associating the user with the second directory when creating the user. If that association could be set or edited later then there would be no issue for us. Is there a way to do that that I am missing?
Atlassian Summit is an excellent opportunity for in-person support, training, and networking.Learn more
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG