LDAP synchronization fails due to invalid search filter containing negation element.

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Symptoms

The LDAP synchronization fails with the following message in the atlassian-confluence.log:

1 2 Test retrieve user : Failed org.springframework.ldap.InvalidSearchFilterException: Filter (!) cannot be followed by more than one filters; nested exception is javax.naming.directory.InvalidSearchFilterException: Filter (!) cannot be followed by more than one filters; remaining name 'DC=production,DC=tvn,DC=com'

Cause

Due to restrictions of the LDAP protocol, filters containing 'not' or 'negation'('!') must have one and only one filter element. Example of an invalid filter:

1 (&(objectCategory=Group)(!(CN=confluence*)(!(CN=jira*))))

ℹ️ See more details about LDAP filters in this documentation.

.

Resolution

You can fix the issue by following the below approaches.

  • Remove one of the negation operators. e.g.

    1 (&(objectCategory=Group)(!(CN=confluence*)))

  • Or wrap all elements within the OR operator (pipe symbol '|'). Example:

    1 (&(objectCategory=Group)(!(|(CN=confluence*)(CN=jira*))))
Updated on April 8, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSymptomsCauseResolution

Still need help?

The Atlassian Community is here for you.
Ask the Community