制限付きグループのメンバーであるため、LDAP ユーザーが Confluence にログインできない
症状
LDAP Users were not able to login.
atlassian-confluence.log
に次のメッセージが表示される。
java.lang.NullPointerException: at index 23
at com.google.common.collect.ImmutableList.checkElementNotNull(ImmutableList.java:318)
at com.google.common.collect.ImmutableList.construct(ImmutableList.java:309)
at com.google.common.collect.ImmutableList.copyFromCollection(ImmutableList.java:302)
at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:260)
at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:230)
at com.atlassian.crowd.directory.MicrosoftActiveDirectory.findGroupMembershipNames(MicrosoftActiveDirectory.java:368)
at com.atlassian.crowd.directory.RFC4519Directory.searchGroupRelationshipsWithGroupTypeSpecified(RFC4519Directory.java:447)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroupRelationships(SpringLDAPConnector.java:1499)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.updateGroupsMembershipOnLogin(DbCachingRemoteDirectory.java:347)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticateAndUpdateInternalUser(DbCachingRemoteDirectory.java:283)
com.atlassian.crowd.directory.DbCachingRemoteDirectory.performAuthenticationAndUpdateAttributes(DbCachingRemoteDirectory.java:189)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticate(DbCachingRemoteDirectory.java:161)
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:292)
at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:142)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:68)
原因
This is a bug in Crowd (CWD-4206 - LDAP user unable to Login to application due to membership in restricted group). One of the groups that the user is a member of is unable to be read by the LDAP account used by Confluence.
診断
- You can find the culprit group/user by running Get-ADGroup and Get-ADGroupMember with the recursive flag enabled to get an error with the group/user.
ソリューション
オプション 1:
- Allow the LDAP account used by Confluence read access to the problematic group, or
- Remove the user from this group
オプション 2:
- Uncheck both "When finding the user's group membership", and "When finding the members of a group" options under Membership Schema Settings in the directory configuration. This will effectively prevent the use of memberOf attribute to look for the user's group memberships (using member attribute from the group's side instead)
最終更新日: 2025 年 1 月 31 日
Powered by Confluence and Scroll Viewport.