After several Q&A here I have managed to configure Crowd with a LDAP connector and to connect it with one of our Confluence instances.
However when I try to login to Confluence with my LDAP userID I get an error message "Sorry, an error occurred trying to log you in."
If I enter a random password, I get "Sorry, your username and/or password are incorrect." So the connection to LDAP through Crowd seems to work.
Both the Crowd and the Confluence logs show Java errors. If someone can tell me how to attach files here or where to send them, I can make them available - as well as the Crowd support zip.
First lines of confluence error log:
2018-04-11 14:59:55,489 ERROR [http-nio-8090-exec-5] [crowd.manager.application.ApplicationServiceGeneric] authenticateUser Directory 'Crowd Server' is not functional during authentication of 'mchjbaus'. Skipped.
-- referer: http://dolly2.abg.fsc.net:8090/dologin.action | url: /dologin.action | traceId: 489630ceb2de21b0
First lines of crowd error log:
2018-04-11 14:59:54,975 http-nio-8095-exec-1 INFO [server.impl.application.WebApplicationImpl] Initiating Jersey application, version 'Jersey: 1.19 02/11/2015 03:25 AM'
2018-04-11 14:59:55,434 http-nio-8095-exec-1 ERROR [common.error.jersey.ThrowableExceptionMapper] Uncaught exception thrown by REST service: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100742, data 0, 1 access points
ref 1: 'r01.fujitsu.local'
]; nested exception is javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100742, data 0, 1 access points
ref 1: 'r01.fujitsu.local'
Confluence V6.2.1 (Linux server)
Crowd V3.1.3 (same server)
PS: The initial heap size for Crowd was way too small - my first steps raised an 'out of memory' error for java. The heap size is now 8 GB.
Hi @[deleted]
nested exception is javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-03100742, data 0, 1 access points
ref 1: 'r01.fujitsu.local'
This seems to be a referrals issue as explained on this page: https://confluence.atlassian.com/jirakb/user-lookups-fail-with-partialresultexceptions-due-to-active-directory-follow-referrals-configuration-235668642.html
Please make sure that you disabled "Use node referrals" in the connector tab of your AD directory in Crowd's console.
Hi @Bruno Vincent,
"use node referrals" has never been checked, so this can't be causing the errors.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @[deleted]
Anything else in the logs?
I still think this is a referrals issue. Can you tell us a bit more about your AD environment?
My guess is that you might have two domains involved here - let's say domainA and domainB - and that your user is a member of both domainA groups and domainB groups.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
On the confluence user management page, I can find my test user (myself). This uses a name "MCHJBAUS" that is not in the internal user directory.
On the other hand I changed the priority of the crowd server (putting it first) and the internal directory. Now when I login as with my local admin userid "adm_jean" the user directories page tells me that I am logged in through the Crowd directory.
My conclusion:
The first fact shows that LDAP is working through Crowd.
The second fact shows that login through Crowd works, too (without LDAP).
The only combination that doesn't work is login to Confluence, using a Crowd entry from the Active Directory.
Coming back to you after I have further looked at the log files from Crowd and Confluence...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
"The first fact shows that LDAP is working through Crowd."
Not all LDAP requests succeed since you get the referrals error in the logs. Your user is found, credentials checking (BIND in LDAP terminology) probably works too, but my guess is that Crowd cannot fetch your users' groups (because of that referrals issue) and in the end authentication fails because Crowd cannot verify that you user belongs to an authorized group for Confluence. This is my hypothesis anyway.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
There might be few reasons behind that. Might be a network configuration problem. Please check this KB article - https://confluence.atlassian.com/crowdkb/crowd-user-authentication-fails-with-directory-x-is-not-functional-during-authentication-error-391086721.html
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Mirek,
as the password seems to be correctly checked, the connection to the AD must have been established (see the reaction to a deliberately false password).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.