LDAP User Unable to Login to Confluence due to Membership in Restricted Group

Still need help?

The Atlassian Community is here for you.

Ask the community

Symptoms

LDAP Users were not able to login.

The following appears in the atlassian-confluence.log:

java.lang.NullPointerException: at index 23
	at com.google.common.collect.ImmutableList.checkElementNotNull(ImmutableList.java:318)
	at com.google.common.collect.ImmutableList.construct(ImmutableList.java:309)
	at com.google.common.collect.ImmutableList.copyFromCollection(ImmutableList.java:302)
	at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:260)
	at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:230)
	at com.atlassian.crowd.directory.MicrosoftActiveDirectory.findGroupMembershipNames(MicrosoftActiveDirectory.java:368)
	at com.atlassian.crowd.directory.RFC4519Directory.searchGroupRelationshipsWithGroupTypeSpecified(RFC4519Directory.java:447)
	at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroupRelationships(SpringLDAPConnector.java:1499)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.updateGroupsMembershipOnLogin(DbCachingRemoteDirectory.java:347)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticateAndUpdateInternalUser(DbCachingRemoteDirectory.java:283)
com.atlassian.crowd.directory.DbCachingRemoteDirectory.performAuthenticationAndUpdateAttributes(DbCachingRemoteDirectory.java:189)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticate(DbCachingRemoteDirectory.java:161)
	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:292)
	at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:142)
	at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:68)

Cause

This is a bug in Crowd ( CWD-4206 - Getting issue details... STATUS ). One of the groups that the user is a member of is unable to be read by the LDAP account used by Confluence.

 

Diagnosis

  • You can find the culprit group/user by running Get-ADGroup and Get-ADGroupMember with the recursive flag enabled to get an error with the group/user.

Resolution

Option 1:

  • Allow the LDAP account used by Confluence read access to the problematic group, or
  • Remove the user from this group

Option 2:

  • Uncheck both "When finding the user's group membership", and "When finding the members of a group" options under Membership Schema Settings in the directory configuration. This will effectively prevent the use of memberOf attribute to look for the user's group memberships (using member attribute from the group's side instead)

Last modified on Mar 30, 2016

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.