Automatically adding users into groups when users first login does not work
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
When connecting Confluence to an external user directory, Confluence has a setting to automatically add users into Default Groups when users first login:
However, when users login, they are not automatically assigned to this group. This usually accompanied by getting "Not Permitted" error as usually the group assigned is the group that has the "Can-Use" permission.
The following appears in the atlassian-confluence
2019-03-13 12:27:04,562 ERROR [http-nio-26141-exec-3] [core.event.listener.AutoGroupAdderListener] handleEvent Could not auto add user to group: Group <confluence-users> is read-only and cannot be updated -- referer: http://localhost:26141/c6141/dologin.action | url: /c6141/dologin.action | traceId: 5a4b7669ec417ff8 com.atlassian.crowd.exception.ReadOnlyGroupException: Group <confluence-users> is read-only and cannot be updated at com.atlassian.crowd.directory.DbCachingRemoteDirectory.addUserToGroup(DbCachingRemoteDirectory.java:727) at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.addUserToGroup(DirectoryManagerGeneric.java:633) at com.atlassian.crowd.core.event.listener.AutoGroupAdderListener.handleEvent(AutoGroupAdderListener.java:86) at com.atlassian.crowd.core.event.listener.AutoGroupAdderListener.handleEvent(AutoGroupAdderListener.java:53) ...
- User directory is a Connector with Read Only, with Local Groups permission
- User Directory is a Delegated directory (Internal with LDAP Authentication)
- Copy User on Login has been ticked
A group with the same name exists in LDAP side. This causes users unable to be added to the groups automatically. For the example error message above, the issue is due to there's already exist a group in LDAP side with the name "confluence-users"
In order for automatically assign users into groups in Confluence when they first login to work, the group should not exist in LDAP side.
The resolution is either to
- Delete the group in LDAP side
- Manual group assignment, as well as changing the Permission to
- Read Only (The group assignment is only done in LDAP side) or
- Read and Write (Allow Confluence to change group membership to LDAP side)