User cannot login to Confluence with LDAP synchronization enabled
A User reports that they can not login to Confluence. You can see the user in your User Search in Confluence, however, if you navigate to user profile page, you will receive an error:
The following error(s) occurred: No user with the specified email address exists
The following errors appears in the
atlassian-confluence.log from the user's attempted login(s):
2014-10-27 22:16:46,882 WARN [http-8090-91] [atlassian.seraph.auth.DefaultAuthenticator] login login : 'firstname.lastname@example.org' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
You have configured LDAP with synchronization to establish users and groups in Confluence. You know that synchronization is working, you can validate that the user exists in both your Confluence's internal user tables and LDAP.
The first thing to do, is to verify that the user exists in the Confluence database:
SELECT * FROM cwd_user WHERE lower_user_name = '<name_of_user>';
This will reveal the details of the user as they exist within the Confluence database. If the user's Active field is marked as T for true, then the user is active and in the system., but there is a problem with the user's record.
You can then check the user_mapping table to see if the user exists within the table or has an issue there:
SELECT * FROM user_mapping WHERE lower_username != username;
This will highlight any users with mismatched entries in the user_mapping table, but may also show an edge case where a user rename may not have succeeded and the user cannot login.
SELECT * FROM user_mapping WHERE lower_username = '<name_of_user>';
If this returns no records, then the user cannot login and cannot be found in your Confluence.
The cause in this case is not clear, but the issue is that the user record in the user_mapping table has become corrupted or has been nulled. The user cannot be found in Confluence and therefore, cannot login.
- Login as the Administrator for Confluence by selecting the Cog icon and clicking the Confluence Admin link
- Stand up a second LDAP directory that mirrors the LDAP already in use and configured in your instance
- SEE: Connecting to an LDAP Directory for more information on LDAP configuration but this new directory must mirror the original directory
- Insure that the original LDAP already in use is disabled in Confluence
- Perform a full sync of the second (or mirrored, LDAP)
- Flush the cache in Confluence by selecting the Cog icon and clicking the Confluence Admin link
- Click on the Administration section Link for Cache Statistics
- Click the Flush All link at the bottom right of the Cache Statistics screen
- Click on the Users link under Users & Security
- Search for the user with the problem
- Verify that the user's profile can be viewed
- Remove the mirrored LDAP directory from your instance
- Re-enable the previous LDAP instance
- Your user should now be restored with all original groups from the directory and should be able to login
if you have a directory set to Read Only, with Local Groups, please be aware that local groups will need to be rebuilt in this case and users will need to be restored to each group.