Troubleshooting the "Not Permitted" Screen under LDAP Integration
症状
You have set up Confluence with an LDAP User Directory. Upon logging in with an LDAP/AD account, "Not Permitted" is displayed.
atlassian-confluence.log に次のメッセージが表示される。
2015-01-02 09:37:11,864 WARN [http-bio-8090-exec-9] [atlassian.seraph.auth.DefaultAuthenticator] login login : 'user.name' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
診断
Run the query below on your Confluence database:
SELECT
o.list_index,
d.active,
d.id as DirectoryID,
d.directory_name,
d.directory_type,
u.id as UserID,
u.user_name,
g.id as GroupID,
g.group_name
FROM
cwd_user u
LEFT JOIN cwd_directory d
ON
u.directory_id = d.id
LEFT JOIN cwd_membership m
ON
u.id = m.child_user_id
LEFT JOIN cwd_group g
ON
g.id = parent_id
LEFT JOIN cwd_app_dir_mapping o
ON
d.id=o.directory_id
where user_name='<affected user>'
ORDER BY 2 DESC, 1 ASC;
Check whether the user is assigned to any Group that has the Can use permission at Global Permissions
原因
The user is not assigned to any default group (confluence-users or confluence-administrators) or any other group that has the Can Use permission.
ソリューション
When configuring the directory, you can choose to make it read only, read only with local groups, or read/write. If you choose read/write, any changes made to user and group information in the application will also update the LDAP directory.
- If your Directory is Configured to Read-only, you will need to add the confluence-users group into your LDAP manually.
- If read only with local groups, or read/write, you can manually assign the group to the user in confluence user management
(Login as a Confluence administrator and go to Confluence Admin>>> Groups)
Users from LDAP are added to groups maintained in Confluence's internal directory the first time they log in. This is only done once per user. There is a known issue with Read Only, with Local Groups in Confluence that may apply to you. To do that, set the Default Group Memberships to confluence-users, so whenever a new user logs in, he/she will be automatically added to the confluence-users group.