Common User Management Errors

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

The following table is a list of the most common LDAP Errors encountered when integrating LDAP with Atlassian products. For a product-agnostic list of all LDAP error codes, please see the LDAP Protocol Specification. For product-specific information, please see your product documentation.

The Bind account referred to by many messages is the username and password that your Atlassian products use to access your LDAP directory.

LDAP Error

Description

Suggested Resolution
1This is an internal error, and the LDAP Server isn't able to respond with a more specific error. Usually, this indicates an error at the LDAP server, rather than a problem with the request that was made.

Check the LDAP Server logs and configuration to ensure that it is working free from errors. When a user attempts to log in to an Atlassian application, the server: 

  1. Search for the administrative user's DN, using the admin account's credentials from the User Directory configuration.
  2. Binds to LDAP using the DN from step 1.
  3. Searches for the user that is attempting to authenticate.
  4. Attempts to bind as that user using the password provided.
  5. If the bind is successful, that user will have their details synchronized with the target directory.

In this particular case, step 1 is failing. This is usually due to the user's password requiring a reset, the admin is unable to log in or it is not an official administrator for the LDAP engine.

Possible solutions/checks:

  1. Verify the user's password trying to login to the Atlassian application does not require a reset on the next login.
  2. Check that you can log in as that user in another system that is connected to the same LDAP engine.
  3. Ensure that the user configured to bind to the LDAP server is an actual administrator of the LDAP engine (i.e. in an Active Directory they are a member of the Administrator built-in group). If the user is not Administrator, make sure it has read-only access to all directory levels used by your Atlassian application.
  4. a group (or groups) has a name that has two leading spaces. Execute the following query to determine if there are any groups like that, in the specified directory:

    select id, group_name from cwd_group where directory_id = '1234567' and group_name like '% %';
    • Determine which groups have names with leading spaces by running the diagnostic query above
    • Rename the problematic groups in Active Directory by removing the leading spaces

    • Restart synchronization
3The time limit for an operation (set by the client or server) has been exceeded. If the operation is a search, the results will be incomplete.

Reaching the timeout is usually a sign that:

4The size limit (set by the client or server) has been exceeded. The results returned will be incomplete.

Reaching a limit is usually a sign that:

  • the limit is not appropriate - adjust Paged Results and ensure the Page Size is smaller than the limit in the User Directories Advanced Settings.
    • Consult with your LDAP/AD System Administrator to see what this number should be set to as it depends on the LDAP/AD server configuration; or
  • The result set is too large and you could adjust filters to reduce the result set
8The Active Directory server has a non-default domain policy set that enforces all LDAP authentication to be secured with SSL. 
10

A referral must be followed by the client in order to complete the operation.

  1. Typically, this error is accompanied by LimitExceededException - Too many referrals were made; usually to a DNS address that does not exist. Ensure that the base DN is correct and free from typographical errors.
  2. Ensure that users have correct MemberOf attributes that points to correct groups that are reachable. To test this, change how membership is being defined by unchecking the MemberOf setting in the Membership Schema Attribute Settings. This will list membership by searching through Groups' "Member" attribute instead of searching through Users' "MemberOf" attribute
12

Sun Directory Server does not support Paged Results which generates an error like:

org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]
 Do not use Paged Results in Sun Directory Server. Note that without paged results, you may encounter LDAP error code 4. More discussion has taken place on CONF-22083 - Getting issue details... STATUS .
17One of the attributes specified in the configuration settings of your User Directory either in the Group Schema Settings (i.e. User Object Class, User Last Name Attribute etc.) or User Schema Settings (i.e. Group Name Attribute, Group Name Class) sections do not exist in the LDAP server's schema.Ensure any attributes referenced in your configuration are correct, and appropriate for users or groups.
32There could be many reasons for this issue. Please check the data code in the error message.
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, 
problem 2001 (NO_OBJECT), data 0, best match of: 'ou=fake, ou=users, o=sevenSeas']; 
remaining name 'ou=users, o=sevenSeas'

The data code in the example above is 0 which means that "Defined DN does not exist".

34The syntax of the DN is incorrect.

Ensure your DN is correct; and free from typographical errors. There may also be an invalid character in an attribute of the object - such as name or description. Check the error message to see the attribute that caused the problem.

49The bind operation has failed, typically due to a problem with the account.

Ensure the credentials for the bind account used to connect to the LDAP Server are correct. If you are using Active Directory, refer to the table below about Error 49 in Active Directory.

This can also be caused by not using the FQDN in the Username field at the User Directory configuration. Try changing Username to "user@domain.name"

50The LDAP user configured on the client (i.e. JIRA, Confluence etc) does not have sufficient rights to perform the requested operation.This error is a permissions configuration issue on the LDAP side. Ensure that the bind account has sufficient privileges to perform the operation requested. If possible, try an account with higher permissions temporarily to isolate the problem.
53The LDAP server cannot process the request because of server-defined restrictions. This error is returned for the following reasons:
  • The add entry request violates the LDAP Server's structure rules
  • The modify attribute request specifies attributes that users cannot modify
  • Password restrictions prevent the action
  • Connection restrictions prevent the action

This error is typically caused by attempting to make changes to a read-only directory. There can be several reasons the directory is read-only:

  • The directory has been configured as a read-only directory
  • The bind account may not have permissions to make changes on the server
  • The server may impose additional restrictions. For example, Active Directory may require a secure connection to allow changes

Active Directory Error 49

When Error 49 is encountered, check the error message for a specific error message in the Data attribute of the error message. This TechNet article has more information about how to configure user account settings in Active Directory.

CodeDescriptionResolution
Data 525

The user could not be found

Ensure the correct username has been specified for the bind account.
Data 52e

The credentials (username and password) are invalid

Ensure the credentials are correct, and that the correct server is being used.

See more details at the KB, Users are unable to log in to Confluence (LDAP: error code 49, data 52e)

Data 530

The user is not permitted to login at this time

Remove any Log on Hours from the user's "Account" tab in Active Directory
Data 531

The user is not permitted to login at this workstation

Allow the application server as a permitted logon workstation from the user's "Account" tab in Active Directory. 
Data 532

The user's password has expired

Reset the user's password. If necessary, update your application(s) with the new password.
Data 533

The user's account has been disabled

Enable the user account in Active Directory

Data 57

The user's account connect from JIRA to the Active Directory is having an authorization issue
  • The user is either removed or has its password changed from the AD side.
  • Test login with the user account to the AD server and able to view all the users' memberships attribute with the correct password.
  • Verify that the user account can navigate to the LDAP base DN and view all the user and group attributes.
  • Encryption file issue as the crypto file might be missing or lacking filesystem permissions and causing the transaction to be sending the wrong authorization data as per the encryption:

    202x-xx-xx 00:00:00,000-0000 JIRA-Bootstrap ERROR      [c.a.d.c.p.c.algorithm.serialization.SerializationFile] Couldn't read file needed for encryption/decryption. Tried to read file under: \atlassian\jira-data\keys\javax.crypto.spec.SecretKeySpec_xxx
    java.io.FileNotFoundException: \atlassian\jira-data\keys\javax.crypto.spec.SecretKeySpec_xxx (The system cannot find the file specified)
Data 701

The user's account has expired

Ensure that "Never" is set as the account expiration option in Active Directory
Data 773

The user account must have its password reset

Reset the user's password. If necessary, update your application(s) with the new password.
Data 775

The user account is locked

Unlock the user account from the user's "Account" tab in Active Directory

PKIX Path Building Failed while connecting to Secure LDAP (LDAPS)

This error is caused by using a secure LDAP connection - however, your application does not trust the certificate presented by your LDAP server. To resolve this, the certificate must be imported to your application's trust store. Please see Unable to Connect to SSL Services knowledge base article for more information. For product specific advice, please see the Connecting to SSL Services KB document.


DescriptionThe following is a list of the most common LDAP Errors encountered when integrating LDAP with Atlassian products. For a product-agnostic list of all LDAP error codes, please see the LDAP Protocol Specification For product-specific information, please see your product documentation.
ProductJira, Confluence, Bitbucket, Fisheye, Bamboo
PlatformServer, Data Center



Last modified on Oct 3, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.