Account Issues When Migrating from Internal Authentication to Internal with LDAP Authentication

Still need help?

The Atlassian Community is here for you.

Ask the community

Symptoms

If you do not check "Copy Users on Login" when migrating from Internal Authentication to Internal with LDAP Authentication (using this doc: Connecting to an Internal Directory with LDAP Authentication), Confluence will ignore the LDAP authentication for users with the same name in both directories. 

Cause

Users that exist in the internal directory (as well as LDAP) authenticate internally and not with LDAP. 

Workaround

This suggested workaround was submitted here: https://answers.atlassian.com/questions/78076/migrate-from-internal-authentication-to-internal-with-ldap-authentication by Jo-Anne MacLeod:

The suggestion from Atlassian was to retrieve a list of users and then use the CLI plugin (which has become my best friend through this) to create the new users, after that to rerun the group membership file created above.  

This is the command used to create the user list:

 

1
SELECT lower_user_name, 'password', email_address, display_name FROM cwd_user

and the import command:

 

1
./confluence.sh --action addUserWithFile --file "users.csv"

this did not work as it detected that the users already existed in the database.  

Bottom line I got to the point where I was stuck.  The only suggestion left was to manually create the 400 users.  Not something that I was willing to do.

What I ended up doing was something that I really don't like to do.  I manipulated the database directory.  *WARNING* - Take a backup, run in Test before doing in Production.  We found the ID for our LDAP configuration, and for the Internal configuration.  Made a note of the ID.  In the tables, CWD_User, CWD_User_attribute, and CWD_group, we updated the id from the existing internal id, to the new ldap id.  Restarted the system. Testing confirmed that this worked.  Or so we thought.  We found though that none of the the 'service accounts', that is accounts that existed in Confluence, but didn't exist in the LDAP would work.  We tried moving them back to the old ID (basically undid the database change), and still it didn't help.

Through trial and error we found that the root cause was that new users were always being created as an "LDAP Authentication" account, we were never allowed to enter a user as an "Internal Authentication" account.  So I went back to the Users directory, I moved internal authentication, above the LDAP authentication. Then I could create a new user, it creates with type Internal Authentication. I then go back to the User Directories and move LDAP above Internal I can get it to work.  This step will need to be repeated whenever a new service (internal only) account is created.  Seeing as this is not done a lot, it is a small price to pay to get Confluence to work with Local Users, and LDAP authentication.

 

Last modified on Feb 26, 2016

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.