LDAP User Unable to Login to Confluence due to Membership in Restricted Group

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

症状

LDAP Users were not able to login.

atlassian-confluence.log に次のメッセージが表示される。

java.lang.NullPointerException: at index 23
	at com.google.common.collect.ImmutableList.checkElementNotNull(ImmutableList.java:318)
	at com.google.common.collect.ImmutableList.construct(ImmutableList.java:309)
	at com.google.common.collect.ImmutableList.copyFromCollection(ImmutableList.java:302)
	at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:260)
	at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:230)
	at com.atlassian.crowd.directory.MicrosoftActiveDirectory.findGroupMembershipNames(MicrosoftActiveDirectory.java:368)
	at com.atlassian.crowd.directory.RFC4519Directory.searchGroupRelationshipsWithGroupTypeSpecified(RFC4519Directory.java:447)
	at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroupRelationships(SpringLDAPConnector.java:1499)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.updateGroupsMembershipOnLogin(DbCachingRemoteDirectory.java:347)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticateAndUpdateInternalUser(DbCachingRemoteDirectory.java:283)
com.atlassian.crowd.directory.DbCachingRemoteDirectory.performAuthenticationAndUpdateAttributes(DbCachingRemoteDirectory.java:189)
	at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticate(DbCachingRemoteDirectory.java:161)
	at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:292)
	at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:142)
	at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:68)

原因

This is a bug in Crowd ( CWD-4206 - Getting issue details... STATUS ). One of the groups that the user is a member of is unable to be read by the LDAP account used by Confluence.

 

診断

  • You can find the culprit group/user by running Get-ADGroup and Get-ADGroupMember with the recursive flag enabled to get an error with the group/user.

ソリューション

オプション 1:

  • Allow the LDAP account used by Confluence read access to the problematic group, or
  • Remove the user from this group

オプション 2:

  • Uncheck both "When finding the user's group membership", and "When finding the members of a group" options under Membership Schema Settings in the directory configuration. This will effectively prevent the use of memberOf attribute to look for the user's group memberships (using member attribute from the group's side instead)

Last modified on Mar 30, 2016

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.