Account Issues When Migrating from Internal Authentication to Internal with LDAP Authentication
If you do not check "Copy Users on Login" when migrating from Internal Authentication to Internal with LDAP Authentication (using this doc: Connecting to an Internal Directory with LDAP Authentication), Confluence will ignore the LDAP authentication for users with the same name in both directories.
Users that exist in the internal directory (as well as LDAP) authenticate internally and not with LDAP.
This suggested workaround was submitted here: https://answers.atlassian.com/questions/78076/migrate-from-internal-authentication-to-internal-with-ldap-authentication by Jo-Anne MacLeod:
The suggestion from Atlassian was to retrieve a list of users and then use the CLI plugin (which has become my best friend through this) to create the new users, after that to rerun the group membership file created above.
This is the command used to create the user list:
and the import command:
this did not work as it detected that the users already existed in the database.
Bottom line I got to the point where I was stuck. The only suggestion left was to manually create the 400 users. Not something that I was willing to do.
What I ended up doing was something that I really don't like to do. I manipulated the database directory. *WARNING* - Take a backup, run in Test before doing in Production. We found the ID for our LDAP configuration, and for the Internal configuration. Made a note of the ID. In the tables, CWD_User, CWD_User_attribute, and CWD_group, we updated the id from the existing internal id, to the new ldap id. Restarted the system. Testing confirmed that this worked. Or so we thought. We found though that none of the the 'service accounts', that is accounts that existed in Confluence, but didn't exist in the LDAP would work. We tried moving them back to the old ID (basically undid the database change), and still it didn't help.
Through trial and error we found that the root cause was that new users were always being created as an "LDAP Authentication" account, we were never allowed to enter a user as an "Internal Authentication" account. So I went back to the Users directory, I moved internal authentication, above the LDAP authentication. Then I could create a new user, it creates with type Internal Authentication. I then go back to the User Directories and move LDAP above Internal I can get it to work. This step will need to be repeated whenever a new service (internal only) account is created. Seeing as this is not done a lot, it is a small price to pay to get Confluence to work with Local Users, and LDAP authentication.