Some users are unable to log in Spectrum through LDAP

book

Article ID: 32117

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Specific users are unable to login to Spectrum through LDAP.

Enabling SSORB debug in OneClick, we can see error messages similar to the following under Tomcat log file (catalina.out for Linux/Unix or stdout.log file for Windows environment):

(http-bio-8443-exec-58) (SecuritySP) - Authenticating user with external directory server: spectrum

(http-bio-8443-exec-58) (SecuritySP) - Getting user by search: sAMAccountName=spectrum

(http-bio-8443-exec-58) (SecuritySP) - Username spectrumhas multiple entries

Cause

As Spectrum is integrated with Active directory, it will query AD for ALL logins being done at Spectrum console (even if user does not exist in AD).

As defined in the OneClick configuration integration page, it is configured with sAMAccountName={0} as login name pattern for searching users in Active directory.

This means that Spectrum will search for this user attribute to locate users:

(http-bio-8443-exec-58) (SecuritySP) - Getting user by search: sAMAccountName=spectrum

The string "Username spectrum has multiple entries" indicates that the "sAMAccountname" attribute for the user account in Active Directory is duplicated, and this attribute is supposed to be unique:

(http-bio-8443-exec-58) (SecuritySP) - Username spectrum has multiple entries

Environment

Spectrum integrated with LDAP

Resolution

Run a search on the Active Directory and eliminate the duplicates.