LDAP User Unable to Login to Confluence due to Membership in Restricted Group
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Symptoms
LDAP Users were not able to login.
The following appears in the atlassian-confluence.log:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
java.lang.NullPointerException: at index 23
at com.google.common.collect.ImmutableList.checkElementNotNull(ImmutableList.java:318)
at com.google.common.collect.ImmutableList.construct(ImmutableList.java:309)
at com.google.common.collect.ImmutableList.copyFromCollection(ImmutableList.java:302)
at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:260)
at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:230)
at com.atlassian.crowd.directory.MicrosoftActiveDirectory.findGroupMembershipNames(MicrosoftActiveDirectory.java:368)
at com.atlassian.crowd.directory.RFC4519Directory.searchGroupRelationshipsWithGroupTypeSpecified(RFC4519Directory.java:447)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchGroupRelationships(SpringLDAPConnector.java:1499)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.updateGroupsMembershipOnLogin(DbCachingRemoteDirectory.java:347)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticateAndUpdateInternalUser(DbCachingRemoteDirectory.java:283)
com.atlassian.crowd.directory.DbCachingRemoteDirectory.performAuthenticationAndUpdateAttributes(DbCachingRemoteDirectory.java:189)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticate(DbCachingRemoteDirectory.java:161)
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:292)
at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:142)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:68)
Cause
This is a bug in Crowd (CWD-4206 - LDAP user unable to Login to application due to membership in restricted group). One of the groups that the user is a member of is unable to be read by the LDAP account used by Confluence.
Diagnosis
You can find the culprit group/user by running Get-ADGroup and Get-ADGroupMember with the recursive flag enabled to get an error with the group/user.
Resolution
Option 1:
Allow the LDAP account used by Confluence read access to the problematic group, or
Remove the user from this group
Option 2:
Uncheck both "When finding the user's group membership", and "When finding the members of a group" options under Membership Schema Settings in the directory configuration. This will effectively prevent the use of memberOf attribute to look for the user's group memberships (using member attribute from the group's side instead)
Was this helpful?