0

Hi we are encountering the same issue as per this IBM article:

http://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/tsec_was_ad_filter.html

We have users under two sub-domains (under the same top domain). Is there an IBM Liberty expert who can advise on how to properly structure the search filter so that we can get the user (see Liberty error log below).

Here is the current filter that we have:

<ldapRegistry baseDN DC=abc,DC=CORP,DC=com" bindDN=" CN=ServiceID,OU=Service Accounts,OU=Accounts,DC=abc,DC=CORP,DC=com" bindPassword="${bindPassword}" host=" abc.corp.com” id="ldap" ignoreCase="false" ldapType="Microsoft Active Directory" port =”3268" realm="BasicRealm">
        <activedFilters groupFilter="(&amp;(cn=%v)(objectcategory=group))" groupIdMap="*:cn" groupMemberIdMap="memberOf:member" userFilter="(&amp;(objectcategory=user)(userPrincipalName=%v))" userIdMap="user:sAMAccountName">
        </activedFilters>
    </ldapRegistry>

Error that is seen:

com.ibm.ws.security.registry.EntryNotFoundException: CWIML4538E: The user registry operation could not be completed. More than one record exists for the XXXXXXX principal name in the configured user registries. The principal name must be unique across all the user registries. at com.ibm.ws.security.wim.registry.util.UniqueIdBridge.getUniqueUserId(UniqueIdBridge.java:305) at com.ibm.ws.security.wim.registry.WIMUserRegistry.getUniqueUserId(WIMUserRegistry.java:291) at com.ibm.ws.security.authentication.jaas.modules.HashtableLoginModule.handleUserId(HashtableLoginModule.java:177) at com.ibm.ws.security.authentication.jaas.modules.HashtableLoginModule.login(HashtableLoginModule.java:127) at com.ibm.ws.kernel.boot.security.LoginModuleProxy.login(LoginModuleProxy.java:51) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at javax.security.auth.login.LoginContext.invoke(Unknown Source) at javax.security.auth.login.LoginContext.access$000(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at java.security.AccessController.doPrivileged(Unknown Source) at javax.security.auth.login.LoginContext.invokePriv(Unknown Source) at javax.security.auth.login.LoginContext.login(Unknown Source)

O.W.
  • 1
  • 4

1 Answers1

0

As the error message indicates, the problem is caused by having multiple users with the same principalName. If you are finding unwanted users, this can generally be solved by narrowing either the baseDN of the ldap registry or by specifying a search base for the users:

<ldapEntityType name="PersonAccount">
            <searchBase>ou=Users,DC=abc,DC=CORP,DC=com</searchBase>
</ldapEntityType>
Ryan
  • 2,058
  • 1
  • 15
  • 29