Existing Confluence users get "Not Permitted" message after logging in
プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。
- Confluence users that exist in Confluence and have been able to login and view content suddenly get Not Permitted message after logging in.
- After the time between LDAP sync has passed and a successful sync is performed, users are then able to access content again, seemingly without any action from the administrator.
The following appears in the
2012-06-07 08:06:45,735 http-8095-10 ERROR [crowd.manager.application.ApplicationServiceGeneric] org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.CommunicationException: xxxx.xxx.xxx:389; nested exception is javax.naming.CommunicationException: xxxx.xxx.xxx:389 [Root exception is java.net.ConnectException: Connection refused] com.atlassian.crowd.exception.OperationFailedException: org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.CommunicationException: xxxx.xxx.xxx:389; nested exception is javax.naming.CommunicationException: xxxx.xxx.xxx:389 [Root exception is java.net.ConnectException: Connection refused] Caused by: com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure The last packet successfully received from the server was 5,955 milliseconds ago. The last packet sent successfully to the server was 1 milliseconds ago. at sun.reflect.GeneratedConstructorAccessor295.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at com.mysql.jdbc.Util.handleNewInstance(Util.java:406) at com.mysql.jdbc.SQLError.createCommunicationsException(SQLError.java:1119) at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:3057) at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:2943) at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3486) at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1959) at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2113) at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2687) at com.mysql.jdbc.ConnectionImpl.setTransactionIsolation(ConnectionImpl.java:5416) at com.mchange.v2.c3p0.impl.NewProxyConnection.setTransactionIsolation(NewProxyConnection.java:701) at net.sf.hibernate.connection.C3P0ConnectionProvider.getConnection(C3P0ConnectionProvider.java:34) at net.sf.hibernate.impl.BatcherImpl.openConnection(BatcherImpl.java:292) ... 14 more Caused by: java.io.EOFException: Can not read response from server. Expected to read 4 bytes, read 0 bytes before connection was unexpectedly lost. at com.mysql.jdbc.MysqlIO.readFully(MysqlIO.java:2502) at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:2954) ... 23 more
Using syncing LDAP directory for user management in Confluence. Check communication to LDAP server.
Confluence was in the middle of a sync with the LDAP server and lost connection between identifying the group memberships and which users those memberships belong to. The group memberships were identified and then the connection was lost. Once a sync was completed successfully, memberships were restored and users were able to login and see content.
Alternate cause: The is an alternate cause relating to the LDAP users not having group membership to "confluence-users" or "confluence-administrators". Users will be able to successfully authenticate and login to Confluence, however, the "Not Permitted" message will be displayed and they will not be able to access any content.
Wait for LDAP sync to start again and complete successfully without losing communication with the LDAP server.
Alternate cause workaround: Add memberships in LDAP for users/groups to belong to confluence-users, or 'nest' the groups supposed to have access to confluence within the confluence-users group.
- Log in to Confluence as a local admin user from the Confluence Internal Directory, if you do not know this user or cannot login with known local admin, follow these instructions
- Navigate to Confluence Admin > User Directories
Locate the LDAP directory and click Synchronize
This resolution only works for Confluence 3.5 and newer as user management was changed to embedded crowd with control via the Confluence Admin UI in 3.5.