Why are my AD LDAP users not automatically added to the confluence-users group?

I just upgraded from Confluence 3.3.1 to 3.5.13. In additional, LDAP authentication has moved from one domain to another. I had to change usernames because the sAMAccountName changes with the domain. The docs I follow was this: http://confluence.atlassian.com/display/DOC/Changing+Usernames

The problem I'm having is my users are now not automatically added to the confluence-users group. I had to manually add and grant an AD group in the Global Permissions page in order for users to use confluence.

Why am my users not automatically part of the confluence-users group? Is this related to my user search filter or group search filter? My users are able to authenticate and log in fine but can't use confluence because they're not part of the confluence-users group.

Snippet of atlassian-confluence.log

2012-03-13 14:26:51,788 WARN [http-0.0.0.0-8081-5] [directory.ldap.mapper.UserContextMapper] mapFromContext Failed to map attribute <uSNChanged> from context with DN <cn=Tom Luong,ou=fte,ou=associates,ou=users,ou=gec,dc=corp,dc=domain,dc=com>
-- referer: https://confluence.test.domain.com/authenticate.action?destination=/admin/console.action | url: /doauthenticate.action | userName: tluong | action: doauthenticate

I tried manually adding a users to the confluence-users group in Manage Groups page and it fails with the following message.

Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=GEC,DC=corp,DC=domain,DC=com'
^@]; remaining name 'OU=GROUP,OU=GEC,DC=homeoffice,DC=domain,DC=com'

Thanks in advance for any help.

3 answers

1 accepted

4 votes
Accepted answer
Joe Clark Atlassian Team Mar 14, 2012

Hey Tom,

Depending on the style of LDAP integration you have chosen, LDAP users are not automatically added to any internal Confluence groups.

If your integration type is "Read Only" or "Read/Write" you will need to add a "confluence-users" group to your Active Directory tree, and then add your AD users to that group. Alternatively, if you have another group in your tree that already has all the necessary users as members, you can add this group to Confluence's global permissions.

If your integration type is "Read Only With Local Groups" then you can configure the "Default Group Memberships" section of the configuration to automatically add all users to the confluence-users group.

Hi Joseph,

I looked by at our production Confluence setup still running 3.3.1 and it doesn't have User Directories where you can setup LDAP permissions like you stated above, "Read Only, Read Only w/ Local Group, or Read/Write". My test box running Confluence 3.5.13 does have that and it's set to "Read Only w/ Local Group."

I don't have a "confluence-users" group in AD. What's baffling to me is the Confluence 3.3.1 does have AD users populated in the local "confluence-users" group but Confluence 3.5.13 with "Read Only w/ Local Group" has "confluence-users" as the default local group has no AD users.

Have I misconfigured something?

Joe Clark Atlassian Team Mar 18, 2012

Ah, my bad - my descriptions do indeed only apply to Confluence 3.5 and newer, which is when we implemented improved LDAP support.

For your 3.5 instance, you need to specifically configure "confluence-users" as the default group membership for the LDAP directory (see http://confluence.atlassian.com/display/DOC/Connecting+to+an+LDAP+Directory#ConnectingtoanLDAPDirectory-AddingUserstoGroupsAutomatically) - it doesn't happen automatically.

Ahh, Thanks Joseph

Joe Clark Atlassian Team Mar 19, 2012

No problem :)

Joseph Clark. You rule. This just saved me.

If your integration type is "Read Only" or "Read/Write" you will need to add a "confluence-users" group to your Active Directory tree, and then add your AD users to that group. Alternatively, if you have another group in your tree that already has all the necessary users as members, you can add this group to Confluence's global permissions.

We're doing auth via delegated LDAP via Crowd and have the same issue, however there's no default group membership to be added in the Crowd connector config screen. We can add a default group in Crowd, but of course there's no confluence-users group to add there. I really would prefer not to hack about my auth directory further, or fiddle about with user perms via an alternative ldap group for confluence.

Back in 3.4.x, you could automatically add users to confluence-users on login, but in 3.5 with the new directory handling that's gone. I see a lot of thought and effort have gone into the issues at https://jira.atlassian.com/browse/CONF-24279 and https://jira.atlassian.com/browse/CONF-24358, but again I really don't want to get into the habit of building a frankenwiki again.

This definitely seems like an oversighty in the interaction between Confluence and Crowd. Whilst I can, if absolutely needed, hack about with my directory and group perms, not all admins would have that luxury.

Thoughts welcome.

Joe Clark Atlassian Team May 20, 2012

Hi Rob,

Could you clarify your situation in some more detail? Trying to understand your setup.

So you have an external LDAP directory and this is connected to a standalone Crowd install using delegated authentication, and then Confluence is connecting to the Crowd directory?

In this case, you will need to handle all the group management for Confluence within Crowd, right? Why can't you add the "confluence-users" group as a default group in Crowd?

Sorry if I've misunderstood your setup.

I can easily add this group, and have done so. However, there should be some commonality accros products here. Groups can be automagically addded by the embedded crowd in confluence, but not for a standalone crowd. As there are several dozen groups here, bother historic ldap and later confluence additions, it would be much easier to have the auto-add-to-group feature in the standalone crowd.

Joe Clark Atlassian Team Jun 04, 2012

Ah, I understand. Sorry for my earlier confusion - I actually didn't know that standalone Crowd lacked the default group memberships feature of the embedded version.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Oct 24, 2018 in Confluence

Atlassian Research opportunity with Confluence templates

Do you use templates with Confluence? Take part in a remote 1-hr workshop. You'll receive USD $100 for your time!   We're looking for people to participate in a   remote 1-hr workshop...

1,100 views 17 14
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you