Some users are unable to log in Spectrum through LDAP

Document ID : KB000032117
Last Modified Date : 29/04/2019
Show Technical Document Details
Issue:

Specific users are unable to login to Spectrum through LDAP.

Enabling SSORB debug in OneClick, we can see error messages similar to the following under Tomcat log file (catalina.out for Linux/Unix or stdout.log file for Windows environment):

(http-bio-8443-exec-58) (SecuritySP) - Authenticating user with external directory server: spectrum

(http-bio-8443-exec-58) (SecuritySP) - Getting user by search: sAMAccountName=spectrum

(http-bio-8443-exec-58) (SecuritySP) - Username spectrumhas multiple entries

Environment:
Spectrum integrated with LDAP
Cause:

As Spectrum is integrated with Active directory, it will query AD for ALL logins being done at Spectrum console (even if user does not exist in AD).

As defined in the OneClick configuration integration page, it is configured with sAMAccountName={0} as login name pattern for searching users in Active directory.

This means that Spectrum will search for this user attribute to locate users:

(http-bio-8443-exec-58) (SecuritySP) - Getting user by search: sAMAccountName=spectrum

The string "Username spectrum has multiple entries" indicates that the "sAMAccountname" attribute for the user account in Active Directory is duplicated, and this attribute is supposed to be unique:

(http-bio-8443-exec-58) (SecuritySP) - Username spectrum has multiple entries

Resolution:

Run a search on the Active Directory and eliminate the duplicates.