Existing Confluence users get "Not Permitted" message after logging in

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。

問題

  1. Confluence users that exist in Confluence and have been able to login and view content suddenly get Not Permitted message after logging in.
  2. After the time between LDAP sync has passed and a successful sync is performed, users are then able to access content again, seemingly without any action from the administrator.

The following appears in the atlassian-confluence.log:

2012-06-07 08:06:45,735 http-8095-10 ERROR [crowd.manager.application.ApplicationServiceGeneric] 
org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance 
for transaction; nested exception is org.springframework.ldap.CommunicationException: xxxx.xxx.xxx:389; 
nested exception is javax.naming.CommunicationException: xxxx.xxx.xxx:389 [Root exception is 
java.net.ConnectException: Connection refused] com.atlassian.crowd.exception.OperationFailedException: 
  org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance 
for transaction; nested exception is org.springframework.ldap.CommunicationException: xxxx.xxx.xxx:389; 
nested exception is javax.naming.CommunicationException: xxxx.xxx.xxx:389 [Root exception is 
java.net.ConnectException: Connection refused]

Caused by: com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure

The last packet successfully received from the server was 5,955 milliseconds ago.  The last packet sent 
successfully to the server was 1 milliseconds ago.
	at sun.reflect.GeneratedConstructorAccessor295.newInstance(Unknown Source)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
	at java.lang.reflect.Constructor.newInstance(Unknown Source)
	at com.mysql.jdbc.Util.handleNewInstance(Util.java:406)
	at com.mysql.jdbc.SQLError.createCommunicationsException(SQLError.java:1119)
	at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:3057)
	at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:2943)
	at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3486)
	at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1959)
	at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2113)
	at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2687)
	at com.mysql.jdbc.ConnectionImpl.setTransactionIsolation(ConnectionImpl.java:5416)
	at com.mchange.v2.c3p0.impl.NewProxyConnection.setTransactionIsolation(NewProxyConnection.java:701)
	at net.sf.hibernate.connection.C3P0ConnectionProvider.getConnection(C3P0ConnectionProvider.java:34)
	at net.sf.hibernate.impl.BatcherImpl.openConnection(BatcherImpl.java:292)
	... 14 more
Caused by: java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes 
before connection was unexpectedly lost.
	at com.mysql.jdbc.MysqlIO.readFully(MysqlIO.java:2502)
	at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:2954)
	... 23 more

診断

Using syncing LDAP directory for user management in Confluence. Check communication to LDAP server. 

原因

Confluence was in the middle of a sync with the LDAP server and lost connection between identifying the group memberships and which users those memberships belong to. The group memberships were identified and then the connection was lost. Once a sync was completed successfully, memberships were restored and users were able to login and see content. 

Alternate cause: The is an alternate cause relating to the LDAP users not having group membership to "confluence-users" or "confluence-administrators". Users will be able to successfully authenticate and login to Confluence, however, the "Not Permitted" message will be displayed and they will not be able to access any content. 

回避策

Wait for LDAP sync to start again and complete successfully without losing communication with the LDAP server. 

Alternate cause workaround: Add memberships in LDAP for users/groups to belong to confluence-users, or 'nest' the groups supposed to have access to confluence within the confluence-users group.

ソリューション

  1. Log in to Confluence as a local admin user from the Confluence Internal Directory, if you do not know this user or cannot login with known local admin, follow these instructions
    1. Recover Admin Password

  2. Navigate to Confluence Admin > User Directories
  3. Locate the LDAP directory and click Synchronize

    (info) This resolution only works for Confluence 3.5 and newer as user management was changed to embedded crowd with control via the Confluence Admin UI in 3.5.

最終更新日 2016 年 3 月 30 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.