If you have set up Confluence with AtlassianUser integration and attempted a login with an LDAP/AD account and got a page titled "Not Permitted" here are the steps to troubleshoot this:

  • Have you assiged USE permission to the relevant LDAP groups from the Administration > Global Permissons page?

Before an LDAP user can login and use Confluence, the LDAP group they belong to must be given USE permission directly. (Please note: nested groups is not supported in Confluence as yet, so you cannot specify the parent group. If you want this feature, please vote for it here.)

  • Does an account exist on your LDAP/AD server that has the same name as your local admin account? (for example, is there an acccount on LDAP called 'admin'?)

If so, then you will not be able to login with your local admin account once you enable LDAP integration. To rectify this, you need to either rename your LDAP admin account or rollback your LDAP integration and create another Confluence admin account.

  • You have assigned USE permission to the relevant LDAP groups, but LDAP users in those groups still get "Not Permitted"?

Here, you need to check if Confluence is actually aware that your LDAP users belong to those LDAP groups. To work this out, here is what we need from you:

  1. Login as the local admin account you created when you first set up Confluence.
  2. Enable profiling by appending ?profile=on to the end of a Confluence URL (say the URL of the dashboard, if you happen to be on that page) and hit enter to refresh the page. This setting will now be enabled and cause additional information to be written to your log files to help us diagnose the problem.
  3. Now browse to the Administration > Manage Users screen and do a search for any LDAP user.
  4. Now click on the user to view their details (including the groups they belong to).
  5. Now submit a support ticket at http://support.atlassian.com and attach:
    • A screenshot of the user details page.
    • Your server logs files.

If you are feeling brave, you can attempt to decipher the logs yourself. Here's how:

  1. Your logs should display something similar to this: 
    [0ms] - com.atlassian.user.impl.ldap.adaptor.LDAPStaticGroupAdaptor_search((&(objectClass=groupOfNames)(member=cn=confadmin,ou=users,ou=people,ou=functest,dc=atlassian,dc=com)))
  [0ms] - com.atlassian.user.impl.ldap.repository.DefaultLDAPRepository_getLDAPContext
  [0ms] - com.atlassian.user.impl.ldap.adaptor.LDAPStaticGroupAdaptor_search_JNDI_RAW_((&(objectClass=groupOfNames)(&(objectClass=groupOfNames)(member=cn=confadmin,ou=users,ou=people,ou=functest,dc=atlassian,dc=com))))
    This means that Confluence is using this LDAP search filter (&(objectClass=groupOfNames)(member=cn=confadmin,ou=users,ou=people,ou=functest,dc=atlassian,dc=com)) to find the groups that the user 'confadmin' belongs to. Obviously, the objectClass and member attributes may differ in your install, but the filter should be similar.
  2. Connect to your LDAP/AD server with JXplorer or an LDAP tool of your choice, and issue the above filter and check that you get the results you expect. This should help you to identify if and why the filter is incorrect and what it should be. Please add what you find in this step to the support ticket if you are unable to resolve it from here.

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.