cf-mgmt returns error CF-UnprocessableEntity 10008 user already has role in space
Article ID: 402686
Updated On:
Products
Issue/Introduction
cf-mgmt returns this error during update-space-users command
error: got errors processing update space users [Error syncing users for org Org1, space Test, role developer: adding ldap users: User my-ldap-user with origin SAML: cfclient error (CF-UnprocessableEntity|10008): User 'my-ldap-user' already has 'space_developer' role in space 'Test'. ]Environment
This was observed when using SAML Configuration with ldap group lookups
Cause
cf-mgmt will throw this error when there is duplicate references for a given ldap user in its cache that have the different distinguished names, but the same value for "userNameAttribute" key. For example if the "userNameAttribute" maps to the UserID attribute below and the Distinguished Name (DN) are different for each users.
{
DN:first.last
UserID:username1
Email:[email protected]
}
{
DN:CN=first.last,OU=User Accounts,DC=mydomain,DC=COM
UserID:username1
Email:[email protected]
}
When cf-mgmt iterates over these two users for a given space it will apply the role for the first user "username1" and remove it from its role assignment cache. When it iterates on the second user with the same UserID "username1" it will attempt to apply a role to the same space and cloud controller will return an error indicating the role is already assigned.
One reason this might happen is if you have manually added user DN of "first.last" to spaceConfig.yml "ldap_users:[first.last, other.name, more.names]" not realizing that user will also be found in one of the groups defined by "ldap_group:[group1, group2, group3]". This will create a duplicate user reference in cf-mgmt.
Resolution
remove the duplicate reference of "first.last" from spaceConfig.yml.
Before
"ldap_users:[first.last, other.name, more.names]".After
"ldap_users:[other.name, more.names]".Feedback
