"Unexpected DN in group" on synchronizing with MS Active Directory

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Problem

When synchronising Confluence directory to LDAP you might encounter an error like this:

1 2020-11-19 12:12:16,852 DEBUG \[Caesium-1-2] \[atlassian.crowd.directory.RFC4519DirectoryMembershipsIterable] apply Unexpected DN in group 'confluence-users': cn=user1,ou=my-ou,dc=domain,dc=local

The error above is shown for groups that were already synced into Confluence before.

Diagnosis

Environment

  • Confluence Server/Data Center

  • MS Active Directory user directory.

Diagnostic Steps

  • Verify if the OU name has changed before the latest synchronization.

Cause

Whenever Confluence is comparing the users it already has synchronized against the set of users it just got from the AD after syncing the directory, it'll log that Unexpected DN in group when it doesn't find the user in the group it was originally a member of, in the output from the LDAP anymore.

Because of that whenever an OU name is changed it might throw the error above.

Solution

Workaround

Changing the OU name back to the original name can solve this in some instances.

Updated on April 11, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community