Marcus Tornberg Super Contributor.
Super Contributor.
938 views

User marked as duplicate object

Hi.

Running Identity Governance client version 3.0.1 revision 25950 and Identity Governance server version 3.0.1 from revision 25952.

Using eDirectory Identity with changes Collector - Template Version 3.0.1.

I collect identities with "Collect Identity" with the following mappings:
User ID from Source - OBJ_ID
First Name - givenName
Last Name - sn
Title - title
Email - mail
Department - ou
Employment Type - employeeType
Object GUID - GUID
LDAP Distinguished Name - OBJ_ID
Employee Status - employeeStatus
Workforce ID - workforceID

I get the following warning message on 3 users:
Warning: Collecting entity 'USER' - Marked as duplicate object because an existing object was found with the same identity in users with uniqueId - cn=auser,ou=someOU,o=somewhere

I have no idea why it is a duplicate or how to troubleshoot this.

Please help 🙂

Best Regards
Marcus
0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: User marked as duplicate object

On 12/6/2018 10:34 AM, marcus jonsson wrote:
>
> Hi.
>
> Running Identity Governance client version 3.0.1 revision 25950 and
> Identity Governance server version 3.0.1 from revision 25952.
>
> Using eDirectory Identity with changes Collector - Template Version
> 3.0.1.
>
> I collect identities with "Collect Identity" with the following
> mappings:
> User ID from Source - OBJ_ID
> First Name - givenName
> Last Name - sn
> Title - title
> Email - mail
> Department - ou
> Employment Type - employeeType
> Object GUID - GUID
> LDAP Distinguished Name - OBJ_ID
> Employee Status - employeeStatus
> Workforce ID - workforceID
>
> I get the following warning message on 3 users:
> Warning: Collecting entity 'USER' - Marked as duplicate object because
> an existing object was found with the same identity in users with
> uniqueId - cn=auser,ou=someOU,o=somewhere


So do you have a structured tree, where bsmith is in one container, and
bsmith is in a different container? That might be one possible case.
However, since LDAP DN is using OBJ_ID one assumes it means the entire
LDAP DN is the User ID from Source.

Look in the last side menu item, Data or somesuch on Users, and see if
the schema for user objects has uniqueID defined somewhere in the IG
namespace, maybe whatver attribute is being used is actually having a dupe?


0 Likes
Marcus Tornberg Super Contributor.
Super Contributor.

Re: User marked as duplicate object

Hi Geoff!

Thanks for your reply.

I found my issue. The problem was that some users in eDirectory had two values in the attribute CN. Removing the non-naming CN value resolved the issue. (removing the CN value that was not part of the DN)

Best Regards
Marcus
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: User marked as duplicate object

On 12/10/18 5:24 AM, marcus jonsson wrote:
>
> Hi Geoff!
>
> Thanks for your reply.
>
> I found my issue. The problem was that some users in eDirectory had two
> values in the attribute CN. Removing the non-naming CN value resolved
> the issue. (removing the CN value that was not part of the DN)
>
> Best Regards
> Marcus
>
>

Greetings,
You will receive this kind of warning when you collect an attribute
of an Identity, Group, Account, or Permission if that attribute is
marked as Single Valued. A number of the default attributes within ID
Gov can not be changed to Multi-Valued.

1) In this case the we will only keep one (1) value and remove the
other. If there is a particular value you want kept, then you will need
to handle it in your input transformation code within that attribute.
or

2) If you want want both values to be seen, then you will need to use
some input transformation code to concatenate the two (2) values.

There is an example in the Technical Doc reference section within the ID
Gov Documentation page.


--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Marcus Tornberg Super Contributor.
Super Contributor.

Re: User marked as duplicate object

Hi Steven.

I don't fully agree with you.

The error message I got was (based on my original post and the subject for this thread):
Warning: Collecting entity 'USER' - Marked as duplicate object because an existing object was found with the same identity in users with uniqueId

This was the error message that confused me, and I think that IG should be able to handle two values in CN and only use DN? It is also not apparent from the error message that it is an issue with CN/DN.

(in this customers collector, CN is also collected, but that is to an extended User attribute, ext_cn)

In case of multiple values being collected for any other attribute that is marked as Single value in IG I get:
Warning: Collecting entity 'USER' Multiple values for single value attribute. Refer to 'givenName' in the following data
A very nice error message on what is wrong.

In that instance, I agree with you on how to handle it as per your post.

In order to suppress warnings/errors (or "solve") the latter of those, I inserted the following transformation script that collects one value in case multiple values are found in eDirectory (thanks Geoff):
<code>
if( inputValue[0]=='[' ) {
var jsonObj = JSON.parse(inputValue);
result=jsonObj[0];
} else {
result = inputValue;
}
outputValue=result;
</code>

Best regards
Marcus
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: User marked as duplicate object

On 12/10/18 6:54 AM, marcus jonsson wrote:
>
> Hi Steven.
>
> I don't fully agree with you.
>
> The error message I got was (based on my original post and the subject
> for this thread):
> Warning: Collecting entity 'USER' - Marked as duplicate object because
> an existing object was found with the same identity in users with
> uniqueId
>
> This was the error message that confused me, and I think that IG should
> be able to handle two values in CN and only use DN? It is also not
> apparent from the error message that it is an issue with CN/DN.
>
> (in this customers collector, CN is also collected, but that is to an
> extended User attribute, ext_cn)
>
> In case of multiple values being collected for any other attribute that
> is marked as Single value in IG I get:
> Warning: Collecting entity 'USER' Multiple values for single value
> attribute. Refer to 'givenName' in the following data
> A very nice error message on what is wrong.
>
> In that instance, I agree with you on how to handle it as per your
> post.
>
> In order to suppress warnings/errors (or "solve") the latter of those, I
> inserted the following transformation script that collects one value in
> case multiple values are found in eDirectory (thanks Geoff):
> <code>
> if( inputValue[0]=='[' ) {
> var jsonObj = JSON.parse(inputValue);
> result=jsonObj[0];
> } else {
> result = inputValue;
> }
> outputValue=result;
> </code>
>
> Best regards
> Marcus
>
>

Greetings,
I have done some quick tests here and can not reproduce the
behavior. I am wondering if any of the default mappings of incoming
values to ID Gov Attributes were changed. I have a user with 2 CNs and
I do not receive any error during Collection.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: User marked as duplicate object

>     I have done some quick tests here and can not reproduce the
> behavior.  I am wondering if any of the default mappings of incoming
> values to ID Gov Attributes were changed.  I have a user with 2 CNs and
> I do not receive any error during Collection.


What is UserA has:
CN= bsmith (naming)
CN= bobsmith

UserB has
cn=bobsmith (naming)
CN=bsmith

This is of course eDir legal, but seems like would trigger this error,
perhaps.

Does IG notice the naming attribue instance of just read them back as is?

0 Likes
Marcus Tornberg Super Contributor.
Super Contributor.

Re: User marked as duplicate object

stevewdj;2492248 wrote:
On 12/10/18 6:54 AM, marcus jonsson wrote:
>
> Hi Steven.
>
> I don't fully agree with you.
>
> The error message I got was (based on my original post and the subject
> for this thread):
> Warning: Collecting entity 'USER' - Marked as duplicate object because
> an existing object was found with the same identity in users with
> uniqueId
>
> This was the error message that confused me, and I think that IG should
> be able to handle two values in CN and only use DN? It is also not
> apparent from the error message that it is an issue with CN/DN.
>
> (in this customers collector, CN is also collected, but that is to an
> extended User attribute, ext_cn)
>
> In case of multiple values being collected for any other attribute that
> is marked as Single value in IG I get:
> Warning: Collecting entity 'USER' Multiple values for single value
> attribute. Refer to 'givenName' in the following data
> A very nice error message on what is wrong.
>
> In that instance, I agree with you on how to handle it as per your
> post.
>
> In order to suppress warnings/errors (or "solve") the latter of those, I
> inserted the following transformation script that collects one value in
> case multiple values are found in eDirectory (thanks Geoff):
> <code>
> if( inputValue[0]=='[' ) {
> var jsonObj = JSON.parse(inputValue);
> result=jsonObj[0];
> } else {
> result = inputValue;
> }
> outputValue=result;
> </code>
>
> Best regards
> Marcus
>
>

Greetings,
I have done some quick tests here and can not reproduce the
behavior. I am wondering if any of the default mappings of incoming
values to ID Gov Attributes were changed. I have a user with 2 CNs and
I do not receive any error during Collection.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus


Hi Steven.

Sorry for the late response.

The mappings were setup this way:
User ID from Source - OBJ_ID
First Name - givenName
Last Name - sn
Title - title
Email - mail
Department - ou
Employment Type - employeeType
Object GUID - GUID
LDAP Distinguished Name - OBJ_ID
Employee Status - employeeStatus
Workforce ID - workforceID
So, these are the default also for the eDirectory Identity collector.

However, per my other forum post, I have redone the Identity Collector to utilize the Identity Manager Identity collector instead of the eDirectory Identity collector.

I will try and see if I can duplicate the issue in my test environment.

Maybe this could cause issues:
- User cn=user1,ou=users,o=data exists
- Collect/Publish in IG
- User cn=user1,ou=users,o=data renamed to cn=user2,ou=users,o=data
- Add user1 to CN of cn=user2,ou=users,o=data
- Collect/Publish in IG

It seems that it is not as simple as just adding a secondary CN that could be the cause of this as you are unable to duplicate with that simple step.

When I find the time, I will try and reproduce.

Best regards
Marcus
0 Likes
Marcus Tornberg Super Contributor.
Super Contributor.

Re: User marked as duplicate object

Hi again.

I just got the same error again. This time it is also a user that has two CN values in eDirectory (msol and mayso). msol is naming.

I downloaded the emulation package, and it is clearly two rows with the same user, the rows are identical:
"cn=msol,ou=users,o=data","Joe","Doh",,"joe.doh@domain.com","Finance","EXTERNAL",,"BFBD88B8541A574CBAA6E37706AD8079","INACTIVE","IDM-TREE","879879",,"Summerstreet 12b","msol|mayso"
"cn=msol,ou=users,o=data","Joe","Doh",,"joe.doh@domain.com","Finance","EXTERNAL",,"BFBD88B8541A574CBAA6E37706AD8079","INACTIVE","IDM-TREE","879879",,"Summerstreet 12b","msol|mayso"

There must be something in the collector that makes it read the same user twice, but I cannot figure out why.

There is no other users with CN msol or mayso in the collection.

Best regards
Marcus
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.