Existing Confluence users get "Not Permitted" message after logging in
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
問題
- Confluence users that exist in Confluence and have been able to login and view content suddenly get Not Permitted message after logging in.
- After the time between LDAP sync has passed and a successful sync is performed, users are then able to access content again, seemingly without any action from the administrator.
atlassian-confluence.log に次のエラーが返される。
2012-06-07 08:06:45,735 http-8095-10 ERROR [crowd.manager.application.ApplicationServiceGeneric]
org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance
for transaction; nested exception is org.springframework.ldap.CommunicationException: xxxx.xxx.xxx:389;
nested exception is javax.naming.CommunicationException: xxxx.xxx.xxx:389 [Root exception is
java.net.ConnectException: Connection refused] com.atlassian.crowd.exception.OperationFailedException:
org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance
for transaction; nested exception is org.springframework.ldap.CommunicationException: xxxx.xxx.xxx:389;
nested exception is javax.naming.CommunicationException: xxxx.xxx.xxx:389 [Root exception is
java.net.ConnectException: Connection refused]
Caused by: com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure
The last packet successfully received from the server was 5,955 milliseconds ago. The last packet sent
successfully to the server was 1 milliseconds ago.
at sun.reflect.GeneratedConstructorAccessor295.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:406)
at com.mysql.jdbc.SQLError.createCommunicationsException(SQLError.java:1119)
at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:3057)
at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:2943)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3486)
at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1959)
at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2113)
at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2687)
at com.mysql.jdbc.ConnectionImpl.setTransactionIsolation(ConnectionImpl.java:5416)
at com.mchange.v2.c3p0.impl.NewProxyConnection.setTransactionIsolation(NewProxyConnection.java:701)
at net.sf.hibernate.connection.C3P0ConnectionProvider.getConnection(C3P0ConnectionProvider.java:34)
at net.sf.hibernate.impl.BatcherImpl.openConnection(BatcherImpl.java:292)
... 14 more
Caused by: java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes
before connection was unexpectedly lost.
at com.mysql.jdbc.MysqlIO.readFully(MysqlIO.java:2502)
at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:2954)
... 23 more診断
Using syncing LDAP directory for user management in Confluence. Check communication to LDAP server.
原因
Confluence was in the middle of a sync with the LDAP server and lost connection between identifying the group memberships and which users those memberships belong to. The group memberships were identified and then the connection was lost. Once a sync was completed successfully, memberships were restored and users were able to login and see content.
Alternate cause: The is an alternate cause relating to the LDAP users not having group membership to "confluence-users" or "confluence-administrators". Users will be able to successfully authenticate and login to Confluence, however, the "Not Permitted" message will be displayed and they will not be able to access any content.
回避策
Wait for LDAP sync to start again and complete successfully without losing communication with the LDAP server.
Alternate cause workaround: Add memberships in LDAP for users/groups to belong to confluence-users, or 'nest' the groups supposed to have access to confluence within the confluence-users group.
ソリューション
- Log in to Confluence as a local admin user from the Confluence Internal Directory, if you do not know this user or cannot login with known local admin, follow these instructions
- Navigate to Confluence Admin > User Directories
Locate the LDAP directory and click Synchronize
This resolution only works for Confluence 3.5 and newer as user management was changed to embedded crowd with control via the Confluence Admin UI in 3.5.