Some users are unable to log in Spectrum through LDAP

Document ID : KB000032117
Last Modified Date : 14/02/2018
Show Technical Document Details

Symptoms:

Specific users are unable to login to Spectrum through LDAP.

Enabling SSORB debug in oneclick, we can see following error message under Tomcat log file (catalina.out for Linux/Unix or stdout.log file for Windows environment):

(http-bio-8443-exec-58) (SecuritySP) - Authenticating user with external directory server: st450373927

(http-bio-8443-exec-58) (SecuritySP) - Getting user by search: sAMAccountName=st450373927

(http-bio-8443-exec-58) (SecuritySP) - Username st450373927 has multiple entries

 

As Spectrum is integrated with Active directory, it will query AD for ALL logins being done at spectrum console (even if user does not exist in AD).

As defined in the oneclick configuration integration page, it is configured with sAMAccountName={0} as login name pattern for searching users in Active directory.

This means that Spectrum will search for this user attribute to locate users:

(http-bio-8443-exec-58) (SecuritySP) - Getting user by search: sAMAccountName=st450373927

The string "Username st450373927 has multiple entries" indicates that the "sAMAccountname" attribute for the user account in Active Directory is duplicated, and this attribute is supposed to be unique:

(http-bio-8443-exec-58) (SecuritySP) - Username st450373927 has multiple entries

 

Cause: 

The user account attribute "sAMAccountName" is duplicated for the user in Active Directory.

 

Resolution: 

Customer needs to run a search on his Active Directory and fix this information, that is, eliminate the duplicates.