Users lose local group memberships due to length of active column

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.

Problem

Users that are sourced from an external LDAP directory lose local group memberships on synchronization.

The following appears in the atlassian-confluence.log

2015-03-31 01:39:24,633 INFO [ajp-bio-127.0.0.1-8009-exec-2] [atlassian.crowd.directory.DelegatedAuthenticationDirectory] updateGroups Deleted user "myuser"'s imported membership of remote group "confluence-users" to directory "Delegated Authentication Directory".

Diagnosis

Database

  • Check the length of the active and local columns in the cwd_group table. The column length for both should be one (1). 

Cause

By default, the length of the active and local columns in the cwd_group table is one (1) character. If that column is increased to two characters, which can happen when changing the data type to one that supports Unicode (like nchar), that creates a situation where Confluence cannot determine the properties of groups; specifically the status and whether they are local. As a result, Confluence will remove the local group memberships from users, even though nothing has actually changed in that regard. 

Resolution

  • Modify the affected table (cwd_group) by changing the length of the active and/or local columns back to one character:

    ALTER TABLE table_name
    ALTER COLUMN active nchar(1);

    Always backup your data before performing any modifications to the database.

  • Restart Confluence or flush the Confluence caches
  • Manually restore the local group memberships that were removed

Last modified on Mar 30, 2016

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.