Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-28621

User Loses all Local Group Memberships If LDAP Sync is Unable to find the User, but the User appears again in subsequent syncs

      Steps to Reproduce

      1. Add a connection to LDAP in Confluence Admin >> User Directories with the Read Only, with Local Groups option
      2. Sync the directory and make sure that LDAP users are returned
      3. Add 1 LDAP user to a local group (membership)
      4. Change the User Object Filter in the directory's configuration in Confluence Admin >> User Directories to a dummy filter, such as the following:
        (&(objectclass=inetorgperson)(cn=dummynonexistentuser))
        
      5. Sync the directory again (Notice that the LDAP users are missing)
      6. Revert the User Object Filter to the previous working filter
      7. Sync the directory again (notice that the LDAP users are back, but their local group memberships are gone)

      Workaround

      1. Restore the instance's database backup to a new database (i.e. not production) prior to the point where memberships were lost.
      2. Follow the instructions in step 1 of Migrating Local Group Memberships Between Directories to generate a CSV file of users and their memberships.
      3. Run through the rest of the instructions in that KB article to populate the production instance's group memberships.

            [CONFSERVER-28621] User Loses all Local Group Memberships If LDAP Sync is Unable to find the User, but the User appears again in subsequent syncs

            For anyone who is still experiencing this issue, we were able to resolve this by disabling the Incremental Sync option in the Active Directory sync settings. Doing this triggered a full sync instead of an incremental sync, and the group memberships for the users which were having the problem re-appeared. 

            We have a fairly small organization (~200 Users), so we made the decision to leave the incremental sync off as it took no more time to complete. In theory you should be able to re-enable it after the full sync, and it would be happy again.

            Brennan Norwood added a comment - For anyone who is still experiencing this issue, we were able to resolve this by disabling the Incremental Sync option in the Active Directory sync settings. Doing this triggered a full sync instead of an incremental sync, and the group memberships for the users which were having the problem re-appeared.  We have a fairly small organization (~200 Users), so we made the decision to leave the incremental sync off as it took no more time to complete. In theory you should be able to re-enable it after the full sync, and it would be happy again.

            Tim added a comment -

            Afaik this never was an issue with JIRA, at least not in version 6 or 7, because JIRA deactivates these users and keep their local group membership, instead of removing them, as Confluence did before this fix.

            Tim added a comment - Afaik this never was an issue with JIRA, at least not in version 6 or 7, because JIRA deactivates these users and keep their local group membership, instead of removing them, as Confluence did before this fix.

            I am facing same issue in JIRA. What was the fix?

            Shashank Agrawal added a comment - I am facing same issue in JIRA. What was the fix?

            A fix for this issue is now available for Confluence Server customers.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Ze'ev (Inactive) added a comment - A fix for this issue is now available for Confluence Server customers. Upgrade now or check out the Release Notes to see what other issues are resolved.

            Finally, thank you.

            Mustafa Abusalah added a comment - Finally, thank you.

            Whoa, it's finally getting fixed! 

            Hooray, Atlassian!

            Liviu Constantinescu added a comment - Whoa, it's finally getting fixed!  Hooray, Atlassian!

            I can not believe this is still not fixed and has only medium priority. It hit us again today, this totally sucks!  

            Atlassian, you`re really loosing here ... I could not care less  about colaborative editing if it means no one has time to fix bugs anymore!!!

            nexum Support added a comment - I can not believe this is still not fixed and has only medium priority. It hit us again today, this totally sucks!    Atlassian, you`re really loosing here ... I could not care less  about colaborative editing if it means no one has time to fix bugs anymore!!!

            This issue is remaining in Confluence 6.

            Mustafa Abusalah added a comment - This issue is remaining in Confluence 6.

            Still run into this bug regularly, and just having to live with it, or log people in under another account when this strikes them (albeit this isn't an option for a lot of use-cases).

            Nasty stuff. Hoping an upcoming move to Active Directory will make some kind of difference, though I don't see why it would.

            Liviu Constantinescu added a comment - Still run into this bug regularly, and just having to live with it, or log people in under another account when this strikes them (albeit this isn't an option for a lot of use-cases). Nasty stuff. Hoping an upcoming move to Active Directory will make some kind of difference, though I don't see why it would.

            Ran into this bug with Confluence 5.9 recently and it had a large impact on our users. Thousands of memberships removed.

            Griffin Idleman added a comment - Ran into this bug with Confluence 5.9 recently and it had a large impact on our users. Thousands of memberships removed.

              fxu Feng Xu (Inactive)
              fsim Foo Sim (Inactive)
              Affected customers:
              79 This affects my team
              Watchers:
              85 Start watching this issue

                Created:
                Updated:
                Resolved: