LDAP nightly sync error: more than one user with id
LDAP with MS Active Directory, WAS and a multiple LDAP group to role mapping. Error message in /jazz/events?provider=ldapnightlysync
More than one user with the id "CN=abcdef,OU=some,OU=where,OU=in,OU=here,OU=Someusers,DC=emea,DC=company,DC=com" is present in the LDAP user directory.
Can you help me troubleshoot?
Of course, there is only one user with that exact DN in the directory.
But as we are using multiple LDAP groups mapped to one role, could the problem be that this user is a member in two of the three groups that are mapped to e.g. the JazzUsers role?
Which config page entry is used for the LDAP lookup at this point?
What is the condition that throws this exception?
(and why does the nightly sync stop at that point and does not continue with just this as a warning?)
More than one user with the id "CN=abcdef,OU=some,OU=where,OU=in,OU=here,OU=Someusers,DC=emea,DC=company,DC=com" is present in the LDAP user directory.
Can you help me troubleshoot?
Of course, there is only one user with that exact DN in the directory.
But as we are using multiple LDAP groups mapped to one role, could the problem be that this user is a member in two of the three groups that are mapped to e.g. the JazzUsers role?
Which config page entry is used for the LDAP lookup at this point?
What is the condition that throws this exception?
(and why does the nightly sync stop at that point and does not continue with just this as a warning?)
7 answers
"More than 1 user with the id" occurs occurs only when there are 2 users with the same dn.
This is what we are doing :
1. we get the member dn's defined in the 4 Jazz groups
2. then for each member, we get the user record using the dn defined in the group membership property.
You are right. LDAP nightly sync should not stop. I opened
https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/95723 to address this issue.
--- Balaji
This is what we are doing :
1. we get the member dn's defined in the 4 Jazz groups
2. then for each member, we get the user record using the dn defined in the group membership property.
You are right. LDAP nightly sync should not stop. I opened
https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/95723 to address this issue.
--- Balaji
LDAP with MS Active Directory, WAS and a multiple LDAP group to role mapping. Error message in /jazz/events?provider=ldapnightlysync
More than one user with the id "CN=abcdef,OU=some,OU=where,OU=in,OU=here,OU=Someusers,DC=emea,DC=company,DC=com" is present in the LDAP user directory.
Can you help me troubleshoot?
Of course, there is only one user with that exact DN in the directory.
But as we are using multiple LDAP groups mapped to one role, could the problem be that this user is a member in two of the three groups that are mapped to e.g. the JazzUsers role?
Which config page entry is used for the LDAP lookup at this point?
What is the condition that throws this exception?
(and why does the nightly sync stop at that point and does not continue with just this as a warning?)
It has nothing to do with a user that exists in 2 different groups.
We are getting the dn of the user (from the group membership information). Then we are trying to retrieve that user using the dn. The ldap returns more than 1 user.
I have a question for u..
--- Usually sAMAccountName is used to represent the unique id of a user in MS active directory. Shouldn't "sAMAccountName" be used to represent a dn of the user instead of CN
--- Balaji
We are getting the dn of the user (from the group membership information). Then we are trying to retrieve that user using the dn. The ldap returns more than 1 user.
I have a question for u..
--- Usually sAMAccountName is used to represent the unique id of a user in MS active directory. Shouldn't "sAMAccountName" be used to represent a dn of the user instead of CN
--- Balaji
Balaji, does this imply that you should not add a user to more than one Jazz LDAP Group ? For eaxmple, JazzAdmins is enough for a admin, no need to be JazzUsers too ?
/henrik
"We are getting the dn of the user (from the group membership information). Then we are trying to retrieve that user using the dn. The ldap returns more than 1 user. "
No, "ldap" return only one entry. But RTC reports two... WAS and other LDAP client can only (correctly) find in this case one user!
We map sAMAccountName instead of cn I think.
/henrik
No, "ldap" return only one entry. But RTC reports two... WAS and other LDAP client can only (correctly) find in this case one user!
We map sAMAccountName instead of cn I think.
/henrik
We are getting the dn of the user (from the group membership information). Then we are trying to retrieve that user using the dn. The ldap returns more than 1 user.
Hi Balaji,
I am learning something new about LDAP every day ;-)
Okay, it seems that the problem here on the customer site is that almost all users have multiple LDAP accounts for the different IT systems (hence the message that more than one account was found).
But luckily all these accounts seem to have different objectClass'es (and/or the "main" accounts that we need are on BASE scope).
So our troubles regarding the nighly sync will be over if you tell me how I can configure that "(objectClass=user)" be added as a filter to exactly
So far I tried at "Find Users by User Id Query" using "(&(sAMAccountName=?1)(objectClass=user))" but since I now learned that RTC seems to do a query on that full DN and not on the BASE_DN using a filter, maybe I can configure somewhere that the SCOPE be limited to BASE instead of SUBTREE for just that lookup?
Problem is that the other LDAP queries with filters of course must use SUBTREE to find all the entries. But that "single user lookup" using full DN for nightly sync needs to have base only, otherwise it will find all these additional user accounts which we cannot use for RTC identification...
Please can you help us once again ;-)
Greetings,
Meik
Opened https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/96194 to address your issue.
--- Balaji
Hi Balaji,
I am learning something new about LDAP every day ;-)
Okay, it seems that the problem here on the customer site is that almost all users have multiple LDAP accounts for the different IT systems (hence the message that more than one account was found).
But luckily all these accounts seem to have different objectClass'es (and/or the "main" accounts that we need are on BASE scope).
So our troubles regarding the nighly sync will be over if you tell me how I can configure that "(objectClass=user)" be added as a filter to exactlythat ldap query you mentioned.
So far I tried at "Find Users by User Id Query" using "(&(sAMAccountName=?1)(objectClass=user))" but since I now learned that RTC seems to do a query on that full DN and not on the BASE_DN using a filter, maybe I can configure somewhere that the SCOPE be limited to BASE instead of SUBTREE for just that lookup?
Problem is that the other LDAP queries with filters of course must use SUBTREE to find all the entries. But that "single user lookup" using full DN for nightly sync needs to have base only, otherwise it will find all these additional user accounts which we cannot use for RTC identification...
Please can you help us once again ;-)
Greetings,
Meik
--- Balaji
We are getting the dn of the user (from the group membership information). Then we are trying to retrieve that user using the dn. The ldap returns more than 1 user.
Hi Balaji,
I am learning something new about LDAP every day ;-)
Okay, it seems that the problem here on the customer site is that almost all users have multiple LDAP accounts for the different IT systems (hence the message that more than one account was found).
But luckily all these accounts seem to have different objectClass'es (and/or the "main" accounts that we need are on BASE scope).
So our troubles regarding the nighly sync will be over if you tell me how I can configure that "(objectClass=user)" be added as a filter to exactly
So far I tried at "Find Users by User Id Query" using "(&(sAMAccountName=?1)(objectClass=user))" but since I now learned that RTC seems to do a query on that full DN and not on the BASE_DN using a filter, maybe I can configure somewhere that the SCOPE be limited to BASE instead of SUBTREE for just that lookup?
Problem is that the other LDAP queries with filters of course must use SUBTREE to find all the entries. But that "single user lookup" using full DN for nightly sync needs to have base only, otherwise it will find all these additional user accounts which we cannot use for RTC identification...
Please can you help us once again ;-)
Greetings,
Meik