Troubleshooting the "Not Permitted" Screen under LDAP Integration

Still need help?

The Atlassian Community is here for you.

Ask the community

Symptoms

You have set up Confluence with an LDAP User Directory. Upon logging in with an LDAP/AD account, "Not Permitted" is displayed.

The following appears in the atlassian-confluence.log:

2015-01-02 09:37:11,864 WARN [http-bio-8090-exec-9] [atlassian.seraph.auth.DefaultAuthenticator] login login : 'user.name' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

Diagnosis

Run the query below on your Confluence database:

SELECT
o.list_index,
d.active,
d.id as DirectoryID,
d.directory_name,
d.directory_type,
u.id as UserID,
u.user_name,
g.id as GroupID,
g.group_name
FROM
cwd_user u
LEFT JOIN cwd_directory d
ON
u.directory_id = d.id
LEFT JOIN cwd_membership m
ON
u.id = m.child_user_id
LEFT JOIN cwd_group g
ON
g.id = parent_id
LEFT JOIN cwd_app_dir_mapping o
ON
d.id=o.directory_id
where user_name='<affected user>'
ORDER BY 2 DESC, 1 ASC;

Check whether the user is assigned to any Group that has the Can use  permission at Global Permissions

Cause

The user is not assigned to any default group (confluence-users or confluence-administrators)  or any other group that has the Can Use permission.

Resolution

When configuring the directory, you can choose to make it read only, read only with local groups, or read/write. If you choose read/write, any changes made to user and group information in the application will also update the LDAP directory.

      • If your Directory is Configured to Read-only, you will need to add the confluence-users group into your LDAP manually.

      • If read only with local groups, or read/write, you can manually assign the group to the user in confluence user management

        (Login as a Confluence administrator and go to Confluence Admin>>> Groups)

        Users from LDAP are added to groups maintained in Confluence's internal directory the first time they log in. This is only done once per user. There is a known issue with Read Only, with Local Groups in Confluence that may apply to you. To do that, set the Default Group Memberships to confluence-users, so whenever a new user logs in, he/she will be automatically added to the confluence-users group.



Last modified on Nov 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.