Existing Confluence users get "Not Permitted" message after logging in

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

  1. Confluence users that exist in Confluence and have been able to login and view content suddenly get Not Permitted message after logging in.
  2. After the time between LDAP sync has passed and a successful sync is performed, users are then able to access content again, seemingly without any action from the administrator.

The following appears in the atlassian-confluence.log:

2012-06-07 08:06:45,735 http-8095-10 ERROR [crowd.manager.application.ApplicationServiceGeneric] 
org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance 
for transaction; nested exception is org.springframework.ldap.CommunicationException: xxxx.xxx.xxx:389; 
nested exception is javax.naming.CommunicationException: xxxx.xxx.xxx:389 [Root exception is 
java.net.ConnectException: Connection refused] com.atlassian.crowd.exception.OperationFailedException: 
  org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance 
for transaction; nested exception is org.springframework.ldap.CommunicationException: xxxx.xxx.xxx:389; 
nested exception is javax.naming.CommunicationException: xxxx.xxx.xxx:389 [Root exception is 
java.net.ConnectException: Connection refused]

Caused by: com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure

The last packet successfully received from the server was 5,955 milliseconds ago.  The last packet sent 
successfully to the server was 1 milliseconds ago.
	at sun.reflect.GeneratedConstructorAccessor295.newInstance(Unknown Source)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
	at java.lang.reflect.Constructor.newInstance(Unknown Source)
	at com.mysql.jdbc.Util.handleNewInstance(Util.java:406)
	at com.mysql.jdbc.SQLError.createCommunicationsException(SQLError.java:1119)
	at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:3057)
	at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:2943)
	at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3486)
	at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1959)
	at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2113)
	at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2687)
	at com.mysql.jdbc.ConnectionImpl.setTransactionIsolation(ConnectionImpl.java:5416)
	at com.mchange.v2.c3p0.impl.NewProxyConnection.setTransactionIsolation(NewProxyConnection.java:701)
	at net.sf.hibernate.connection.C3P0ConnectionProvider.getConnection(C3P0ConnectionProvider.java:34)
	at net.sf.hibernate.impl.BatcherImpl.openConnection(BatcherImpl.java:292)
	... 14 more
Caused by: java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes 
before connection was unexpectedly lost.
	at com.mysql.jdbc.MysqlIO.readFully(MysqlIO.java:2502)
	at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:2954)
	... 23 more

Diagnosis

Using syncing LDAP directory for user management in Confluence. Check communication to LDAP server. 

Cause

Confluence was in the middle of a sync with the LDAP server and lost connection between identifying the group memberships and which users those memberships belong to. The group memberships were identified and then the connection was lost. Once a sync was completed successfully, memberships were restored and users were able to login and see content. 

Alternate cause: The is an alternate cause relating to the LDAP users not having group membership to "confluence-users" or "confluence-administrators". Users will be able to successfully authenticate and login to Confluence, however, the "Not Permitted" message will be displayed and they will not be able to access any content. 

Workaround

Wait for LDAP sync to start again and complete successfully without losing communication with the LDAP server. 

Alternate cause workaround: Add memberships in LDAP for users/groups to belong to confluence-users, or 'nest' the groups supposed to have access to confluence within the confluence-users group.

Resolution

  1. Log in to Confluence as a local admin user from the Confluence Internal Directory, if you do not know this user or cannot login with known local admin, follow these instructions

    1. Recover Admin Password

  2. Navigate to Confluence Admin > User Directories

  3. Locate the LDAP directory and click Synchronize

    (info) This resolution only works for Confluence 3.5 and newer as user management was changed to embedded crowd with control via the Confluence Admin UI in 3.5.

Last modified on Mar 30, 2016

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.