Common User Management Errors

Common LDAP Errors

The following table is a list of the most common LDAP Errors encountered when integrating LDAP with Atlassian products. For a product-agnostic list of all LDAP error codes, please see the LDAP Protocol Specification. For product-specific information, please see your product documentation.

The Bind account referred to by many messages is the username and password that your Atlassian products use to access your LDAP directory.

LDAP Error

Description

Suggested Resolution
1 This is an internal error, and the LDAP Server isn't able to respond with a more specific error. Usually, this indicates an error at the LDAP server, rather than a problem with the request that was made.

Check the LDAP Server logs and configuration to ensure that it is working free from errors. When a user attempts to log in to an Atlassian application, the server: 

  1. Search for the administrative user's DN, using the admin account's credentials from the User Directory configuration.
  2. Binds to LDAP using the DN from step 1.
  3. Searches for the user that is attempting to authenticate.
  4. Attempts to bind as that user using the password provided.
  5. If the bind is successful, that user will have their details synchronized with the target directory.

In this particular case, step 1 is failing. This is usually due to the user's password requiring a reset, the admin is unable to login or it is not an official administrator for the LDAP engine.

Possible solutions/checks:

  1. Verify the user's password trying to login to the Atlassian application does not require a reset on the next login.
  2. Check that you can log in as that user in another system that is connected to the same LDAP engine.
  3. Ensure that the user configured to bind to the LDAP server is an actual administrator of the LDAP engine (i.e. in an Active Directory they are a member of the Administrator built-in group). If the user is not Administrator, make sure it has read-only access to all directory levels used by your Atlassian application.
  4. a group (or groups) has a name that has two leading spaces. Execute the following query to determine if there are any groups like that, in the specified directory:

    select id, group_name from cwd_group where directory_id = '1234567' and group_name like '% %';
    • Determine which groups have names with leading spaces by running the diagnostic query above
    • Rename the problematic groups in Active Directory by removing the leading spaces

    • Restart synchronisation
3 The time limit for an operation (set by the client or server) has been exceeded. If the operation is a search, the results will be incomplete.

Reaching the timeout is usually a sign that:

4 The size limit (set by the client or server) has been exceeded. The results returned will be incomplete.

Reaching a limit is usually a sign that:

  • the limit is not appropriate - adjust Paged Results and ensure the Page Size is smaller than the limit in the User Directories Advanced Settings.
    • Consult with your LDAP/AD System Administrator to see what this number should be set to as it depends on the LDAP/AD server configuration; or
  • The result set is too large and you could adjust filters to reduce the result set
10

A referral must be followed by the client in order to complete the operation.

Typically, this error is accompanied by LimitExceededException - Too many referrals were made; usually to a DNS address that does not exist. Ensure that the base DN is correct and free from typographical errors.
12

Sun Directory Server does not support Paged Results which generates an error like:

org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]
 Do not use Paged Results in Sun Directory Server. Note that without paged results, you may encounter LDAP error code 4. More discussion has taken place on CONF-22083 - Assess Sun Directory LDAP server and paged results support for Confluence compatibility Resolved .
17 One of the attributes specified in the configuration settings of your User Directory either in the Group Schema Settings (i.e. User Object Class, User Last Name Attribute etc.) or User Schema Settings (i.e. Group Name Attribute, Group Name Class) sections does not exist in the LDAP server's schema. Ensure any attributes referenced in your configuration are correct, and appropriate for users or groups.
32 There could be many reasons for this issue. Please check the data code in the error message.
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, 
problem 2001 (NO_OBJECT), data 0, best match of: 'ou=fake, ou=users, o=sevenSeas']; 
remaining name 'ou=users, o=sevenSeas'

The data code in the above example above is 0 which means that "Defined DN does not exist".

34 The syntax of the DN is incorrect.

Ensure your DN is correct; and free from typographical errors. There may also be an invalid character in an attribute of the object - such as name or description. Check the error message to see the attribute that caused the problem.

49 The bind operation has failed, typically due to a problem with the account. Ensure the credentials for the bind account used to connect to the LDAP Server are correct. If you are using Active Directory, refer to the table below about Error 49 in Active Directory.
50 The LDAP user configured on the client (i.e. JIRA, Confluence etc) does not have sufficient rights to perform the requested operation. This error is a permissions configuration issue on the LDAP side. Ensure that the bind account has sufficient privileges to perform the operation requested. If possible, try an account with higher permissions temporarily to isolate the problem.
53 The LDAP server cannot process the request because of server-defined restrictions. This error is returned for the following reasons:
  • The add entry request violates the LDAP Server's structure rules
  • The modify attribute request specifies attributes that users cannot modify
  • Password restrictions prevent the action
  • Connection restrictions prevent the action

This error is typically caused by attempting to make changes to a read only directory. There can be several reasons the directory is read only:

  • The directory has been configured as a read only directory
  • The bind account may not have permissions to make changes on the server
  • The server may impose additional restrictions. For example, Active Directory may require a secure connection to allow changes

Active Directory Error 49

When Error 49 is encountered, check the error message for a specific error message in the Data attribute of the error message. This TechNet article has more information about how to configure user account settings in Active Directory.

Code Description Resolution
Data 525

The user could not be found

Ensure the correct username has been specified for the bind account.
Data 52e

The credentials (username and password) are invalid

Ensure the credentials are correct, and that the correct server is being used.
Data 530

The user is not permitted to logon at this time

Remove any Log on Hours from the user's "Account" tab in Active Directory
Data 531

The user is not permitted to logon at this workstation

Allow the application server as a permitted log on workstation from the user's "Account" tab in Active Directory. 
Data 532

The user's password has expired

Reset the user's password. If necessary, update your application(s) with the new password.
Data 533

The user's account has been disabled

Enable the user account in Active Directory
Data 701

The user's account has expired

Ensure that "Never" is set as the account expiration option in Active Directory
Data 773

The user account must have it's password reset

Reset the user's password. If necessary, update your application(s) with the new password.
Data 775

The user account is locked

Unlock the user account from the user's "Account" tab in Active Directory

PKIX Path Building Failed while connecting to Secure LDAP (LDAPS)

This error is caused by using a secure LDAP connection - however, your application does not trust the certificate presented by your LDAP server. To resolve this, the certificate must be imported to your application's trust store. Please see Unable to Connect to SSL Services knowledge base article for more information. For product specific advice, please see the Connecting to SSL Services KB document.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport