Troubleshooting the "Not Permitted" Screen under LDAP Integration

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Symptoms

You have set up Confluence with an LDAP User Directory. Upon logging in with an LDAP/AD account, "Not Permitted" is displayed.

The following appears in the atlassian-confluence.log:

2015-01-02 09:37:11,864 WARN [http-bio-8090-exec-9] [atlassian.seraph.auth.DefaultAuthenticator] login login : 'user.name' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

Diagnosis

Run the query below on your Confluence database:

SELECT o.list_index, d.active, d.id as DirectoryID, d.directory_name, d.directory_type, u.id as UserID, u.user_name, g.id as GroupID, g.group_name FROM cwd_user u LEFT JOIN cwd_directory d ON u.directory_id = d.id LEFT JOIN cwd_membership m ON u.id = m.child_user_id LEFT JOIN cwd_group g ON g.id = parent_id LEFT JOIN cwd_app_dir_mapping o ON d.id=o.directory_id where user_name='<affected user>' ORDER BY 2 DESC, 1 ASC;

Check whether the user is assigned to any Group that has the Can use permission at Global Permissions.

Cause

The user is not assigned to any default group (confluence-users or confluence-administrators) or any other group that has the Can Use permission.

Solution

Resolution

When configuring the directory, you can choose to make it read only, read only with local groups, or read/write. If you choose read/write, any changes made to user and group information in the application will also update the LDAP directory.

  • If your Directory is Configured to Read-only, you will need to add the confluence-users group into your LDAP manually.

  • If read only with local groups, or read/write, you can manually assign the group to the user in confluence user management

    (Login as a Confluence administrator and go to Confluence Admin>>> Groups)

Users from LDAP are added to groups maintained in Confluence's internal directory the first time they log in. This is only done once per user. There is a known issue with Read Only, with Local Groups in Confluence that may apply to you. To do that, set the Default Group Memberships to confluence-users, so whenever a new user logs in, he/she will be automatically added to the confluence-users group.

Updated on May 22, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community