rhettplace Absent Member.
Absent Member.
889 views

User Activation -Search Returns Multiple Matches Incorrectly


I have a fresh IDM 4.5.4 UA/Home/SSPR (v3.3.1.5b160r38861) install
running on SLES 11.4.

All patches for all IDM components (Engine, RL, UA, Home, SSPR, etc..)
have been applied as of July 9, 2016.

User Activation is enabled and a simple form is configured that requires
givenName, sn, and jackNumber to identify the user to be activated.
This is in a development environment so I have control over all of the
user attributes and I am 100% positive there is only one User object
with the distinct set of attributes that I am trying to test in the
activation process.

When I enter the correct values in the user activation form, I get the
following in the SSPR log;


2016-07-12T13:31:40Z, TRACE, http.PwmRequest, {1v} POST request for:
/sspr/public/ActivateUser [10.19.41.216]
processAction='activate'
dob='0101'
givenName='scott'
sn='summers'
pwmFormID='THGJkOHpWjujWDc2QxAbQo7POxdTRtcx155e0978e6ciKkvW'
2016-07-12T13:31:40Z, DEBUG, ldap.UserSearchEngine, {1v} beginning user
search process [10.19.41.216]
2016-07-12T13:31:40Z, DEBUG, ldap.UserSearchEngine, {1v} performing ldap
search for user; searchID=42 profile=default base=o=chwidv
filter=SearchHelper: filter:
(&(objectClass=person)(sn=summers)(givenName=scott)(jackNumber=0101)),
scope: SUBTREE, attributes: [] [10.19.41.216]
2016-07-12T13:31:40Z, TRACE, ldap.UserSearchEngine, {1v} found 1 results
in 3ms; searchID=42 profile=default base=o=chwidv filter=SearchHelper:
filter:
(&(objectClass=person)(sn=summers)(givenName=scott)(jackNumber=0101)),
scope: SUBTREE, attributes: [] [10.19.41.216]
2016-07-12T13:31:40Z, DEBUG, ldap.UserSearchEngine, {1v} performing ldap
search for user; searchID=43 profile=default base=ou=users,o=chwidv
filter=SearchHelper: filter:
(&(objectClass=person)(sn=summers)(givenName=scott)(jackNumber=0101)),
scope: SUBTREE, attributes: [] [10.19.41.216]
2016-07-12T13:31:40Z, TRACE, ldap.UserSearchEngine, {1v} found 1 results
in 2ms; searchID=43 profile=default base=ou=users,o=chwidv
filter=SearchHelper: filter:
(&(objectClass=person)(sn=summers)(givenName=scott)(jackNumber=0101)),
scope: SUBTREE, attributes: [] [10.19.41.216]
2016-07-12T13:31:40Z, DEBUG, ldap.UserSearchEngine, {1v} completed user
search process in 7ms, resultSize=2 [10.19.41.216]
2016-07-12T13:31:40Z, DEBUG, event.AuditManager, discarding event,
INTRUDER_ATTEMPT are being ignored;
event={"instance":"DE57DBA1C5D9ED37","type":"SYSTEM","eventCode":"INTRUDER_ATTEMPT","guid":"f63ab040-d59e-4d29-9cbd-57a01925d2d1","timestamp":"2016-07-12T19:31:40Z","message":"{\"type\":\"ATTRIBUTE\",\"subject\":\"givenName:scott\"}"}
2016-07-12T13:31:40Z, DEBUG, event.AuditManager, discarding event,
INTRUDER_ATTEMPT are being ignored;
event={"instance":"DE57DBA1C5D9ED37","type":"SYSTEM","eventCode":"INTRUDER_ATTEMPT","guid":"18ec4a1d-dcbf-4383-8ca2-b6c58eacf824","timestamp":"2016-07-12T19:31:40Z","message":"{\"type\":\"ATTRIBUTE\",\"subject\":\"sn:summers\"}"}
2016-07-12T13:31:40Z, DEBUG, event.AuditManager, discarding event,
INTRUDER_ATTEMPT are being ignored;
event={"instance":"DE57DBA1C5D9ED37","type":"SYSTEM","eventCode":"INTRUDER_ATTEMPT","guid":"dea5d0a1-c3ef-4d3d-a36c-7bf39e8f66b3","timestamp":"2016-07-12T19:31:40Z","message":"{\"type\":\"ATTRIBUTE\",\"subject\":\"dob:0101\"}"}
2016-07-12T13:31:40Z, DEBUG, event.AuditManager, discarding event,
INTRUDER_ATTEMPT are being ignored;
event={"instance":"DE57DBA1C5D9ED37","type":"SYSTEM","eventCode":"INTRUDER_ATTEMPT","guid":"8b212764-5091-448d-8a90-de4b53385b18","timestamp":"2016-07-12T19:31:40Z","message":"{\"type\":\"ADDRESS\",\"subject\":\"10.19.41.216\"}"}
2016-07-12T13:31:40Z, DEBUG, servlet.ActivateUserServlet, {1v} 5016
ERROR_CANT_MATCH_USER (multiple user matches found) [10.19.41.216]
2016-07-12T13:31:40Z, TRACE, http.PwmResponse, {1v} forwarding to
/WEB-INF/jsp/activateuser.jsp [10.19.41.216]
2016-07-12T13:31:40Z, TRACE, http.SessionManager, {1v} incremented
request counter to r6W02, current
pwmFormID=THGJkOHpWjujWDc2QxAbQo7POxdTRtcx155e0978e6cr6W02
[10.19.41.216]


According to the log, resultSize=2 is returned from the search meaning
that two objects were matched and so it cannot decide what user to
activate. This is incorrect. When I copy and past the exact same LDAP
search filter
(&(objectClass=person)(sn=summers)(givenName=scott)(jackNumber=0101))
and search from the root of the tree, only one result is returned via
Apache Directory studio.

Curiously, earlier in the trace it says that only one result was found.
2016-07-12T13:31:40Z, TRACE, ldap.UserSearchEngine, {1v} found 1
results in 3ms However, this message appear twice (searchID=42
and searchID=43). It appears that the search is being run twice for
some reason.

I believe this to be a bug but before I report I though I post to see if
anyone else has run into similar issues.


--
rhettplace
------------------------------------------------------------------------
rhettplace's Profile: https://forums.netiq.com/member.php?userid=876
View this thread: https://forums.netiq.com/showthread.php?t=56253

0 Likes
6 Replies
Knowledge Partner
Knowledge Partner

Re: User Activation -Search Returns Multiple Matches Incorre

I have not tested this but from the log I would say it is a bug.
Open a Service Request for it and let's find out.
0 Likes
Knowledge Partner
Knowledge Partner

Re: User Activation -Search Returns Multiple Matches Incorrectly

On 7/13/2016 8:56 AM, joakim ganse wrote:
>
> I have not tested this but from the log I would say it is a bug.
> Open a Service Request for it and let's find out.


Is it possible that there are more than one LDAP profile and it
searching twice, and the user falls into both profiles?


0 Likes
rhettplace Absent Member.
Absent Member.

Re: User Activation -Search Returns Multiple Matches Incorrectly


Thanks for the reply. I'm not following you with the "more than one
LDAP profile" suggestion. Do you mean that there is more than one LDAP
account configured for searching? As far as I can tell, there is only
one account authenticated to the IDV.


--
rhettplace
------------------------------------------------------------------------
rhettplace's Profile: https://forums.netiq.com/member.php?userid=876
View this thread: https://forums.netiq.com/showthread.php?t=56253

0 Likes
Knowledge Partner
Knowledge Partner

Re: User Activation -Search Returns Multiple Matches Incorrectly

On 7/14/2016 12:14 PM, rhettplace wrote:
>
> Thanks for the reply. I'm not following you with the "more than one
> LDAP profile" suggestion. Do you mean that there is more than one LDAP
> account configured for searching? As far as I can tell, there is only
> one account authenticated to the IDV.


So there is support in SSPR for multiple profiles all over the place. My
thinking was, perhaps you have two LDAP profiles defined, and then the
module you are using supports two, so perhaps it is trying to figure out
which profile to use, but you have overlapping profiles.


0 Likes
Knowledge Partner
Knowledge Partner

Re: User Activation -Search Returns Multiple Matches Incorre

Even if that's the case I would define that as a bug.
There has to be possible for a user to fall into multiple ldap profiles.
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: User Activation -Search Returns Multiple Matches Incorre

joakim_ganse;2434612 wrote:
Even if that's the case I would define that as a bug.
There has to be possible for a user to fall into multiple ldap profiles.


Actually, each LDAP profile should define a unique target LDAP directory, ie an eDirectory Tree or an AD Domain. LDAP Profiles should not overlap. So if this is the case you would want to change your config so its not possible that a user is "seen" in multiple LDAP profiles.

In any case, you might try enabling the 'LDAP Wire Trace' feature. This causes more details about the LDAP data in/out to be logged and might show you the DN of the 2 results returned in your search.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.