Common User Management Errors
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
The following table is a list of the most common LDAP Errors encountered when integrating LDAP with Atlassian products. For a product-agnostic list of all LDAP error codes, please see the LDAP Protocol Specification. For product-specific information, please see your product documentation.
The Bind account referred to by many messages is the username and password that your Atlassian products use to access your LDAP directory.
| LDAP Error | Description | Suggested Resolution |
|---|---|---|
| 1 | This is an internal error, and the LDAP Server isn't able to respond with a more specific error. Usually, this indicates an error at the LDAP server, rather than a problem with the request that was made. | Check the LDAP Server logs and configuration to ensure that it is working free from errors. When a user attempts to log in to an Atlassian application, the server:
In this particular case, step 1 is failing. This is usually due to the user's password requiring a reset, the admin is unable to log in or it is not an official administrator for the LDAP engine. Possible solutions/checks:
|
| 3 | The time limit for an operation (set by the client or server) has been exceeded. If the operation is a search, the results will be incomplete. | Reaching the timeout is usually a sign that:
|
| 4 | The size limit (set by the client or server) has been exceeded. The results returned will be incomplete. | Reaching a limit is usually a sign that:
|
| 8 | The Active Directory server has a non-default domain policy set that enforces all LDAP authentication to be secured with SSL. | |
| 10 | A referral must be followed by the client in order to complete the operation. |
|
| 12 | Sun Directory Server does not support Paged Results which generates an error like: | Do not use Paged Results in Sun Directory Server. Note that without paged results, you may encounter LDAP error code 4. More discussion has taken place on
CONF-22083
-
Getting issue details...
STATUS
. |
| 17 | One of the attributes specified in the configuration settings of your User Directory either in the Group Schema Settings (i.e. User Object Class, User Last Name Attribute etc.) or User Schema Settings (i.e. Group Name Attribute, Group Name Class) sections do not exist in the LDAP server's schema. | Ensure any attributes referenced in your configuration are correct, and appropriate for users or groups. |
| 32 | There could be many reasons for this issue. Please check the data code in the error message. | javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'ou=fake, ou=users, o=sevenSeas']; remaining name 'ou=users, o=sevenSeas' The data code in the example above is 0 which means that "Defined DN does not exist". |
| 34 | The syntax of the DN is incorrect. | Ensure your DN is correct; and free from typographical errors. There may also be an invalid character in an attribute of the object - such as name or description. Check the error message to see the attribute that caused the problem. |
| 49 | The bind operation has failed, typically due to a problem with the account. | Ensure the credentials for the bind account used to connect to the LDAP Server are correct. If you are using Active Directory, refer to the table below about Error 49 in Active Directory. This can also be caused by not using the FQDN in the Username field at the User Directory configuration. Try changing Username to "user@domain.name" |
| 50 | The LDAP user configured on the client (i.e. JIRA, Confluence etc) does not have sufficient rights to perform the requested operation. | This error is a permissions configuration issue on the LDAP side. Ensure that the bind account has sufficient privileges to perform the operation requested. If possible, try an account with higher permissions temporarily to isolate the problem. |
| 53 | The LDAP server cannot process the request because of server-defined restrictions. This error is returned for the following reasons:
| This error is typically caused by attempting to make changes to a read-only directory. There can be several reasons the directory is read-only:
|
Active Directory Error 49
When Error 49 is encountered, check the error message for a specific error message in the Data attribute of the error message. This TechNet article has more information about how to configure user account settings in Active Directory.
| Code | Description | Resolution |
|---|---|---|
| Data 525 | The user could not be found | Ensure the correct username has been specified for the bind account. |
| Data 52e | The credentials (username and password) are invalid | Ensure the credentials are correct, and that the correct server is being used. See more details at the KB, Users are unable to log in to Confluence (LDAP: error code 49, data 52e) |
| Data 530 | The user is not permitted to login at this time | Remove any Log on Hours from the user's "Account" tab in Active Directory |
| Data 531 | The user is not permitted to login at this workstation | Allow the application server as a permitted logon workstation from the user's "Account" tab in Active Directory. |
| Data 532 | The user's password has expired | Reset the user's password. If necessary, update your application(s) with the new password. |
| Data 533 | The user's account has been disabled | Enable the user account in Active Directory |
Data 57 | The user's account connect from JIRA to the Active Directory is having an authorization issue |
|
| Data 701 | The user's account has expired | Ensure that "Never" is set as the account expiration option in Active Directory |
| Data 773 | The user account must have its password reset | Reset the user's password. If necessary, update your application(s) with the new password. |
| Data 775 | The user account is locked | Unlock the user account from the user's "Account" tab in Active Directory |
PKIX Path Building Failed while connecting to Secure LDAP (LDAPS)
This error is caused by using a secure LDAP connection - however, your application does not trust the certificate presented by your LDAP server. To resolve this, the certificate must be imported to your application's trust store. Please see Unable to Connect to SSL Services knowledge base article for more information. For product specific advice, please see the Connecting to SSL Services KB document.