000012712 - How to fix overlapping external Identity Sources in AM 7.1 or later

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012712
Applies ToRSA Authentication Manager 7.1 or later. AM 8.x, AM 8.0, AM 8.1
Multiple external Identity Sources, e.g. support.na.rsa.net, engineering.na.rsa.net, marketing.na.rsa.net, which could be better managed as one external Identity source under na.rsa.net
external IS integration
IssueHow to fix overlapping external LDAP Identity Sources in AM 7.1 or later, including AM 8.0
Same user shows up under two Identity Sources that point to different parts of the same Active Directory Domain
Adding user with the same userid errors with    There was a problem processing your request.
Cannot add or manage a user with user ID jguillette. Your deployment is configured to not allow duplicate user IDs in a realm. This user ID is already in use by an unresolvable user in this realm.  For more information, see the Troubleshooting appendix in the Administrator's Guide
Export Failed: There is an error with the user record. The identity source contains no value for the attribute set as the Unique Identifier for the user. Edit the user record in the directory to add a value.  This indicates you are not using objectGUID as the unique Identifier in your external IS, and are using something else such as exuid or employeeNumber, and there is at least 1 blank entry in this unique Identifier field in at least 1 record
CauseIn this situation overlapping means that two external Identity sources point to the same Domain, often with on Identity Source being in a sub-container of the other Identity Source, so that the same User (uniquely qualified by their GUID or other attribute) appears in each Identity Source in Authentication Manager.
If a User is deleted then added back to Active Directory, that is not an overlap because the GUID will be different.  This situation often gives rise to the error 'user already exist in the realm'
Also, two different people with the same name and same UserID from different Domains are not an overlap, they are duplicate users, not the same person twice.
(if these users are not in same Domain they are not the same user, this is not an overlap and you should use Token/User export fix, not LDAP fix - See KB a63330)
ResolutionIn summary;
1. Create the new top-level LDAP Identity source which overlaps the 2 or more other Identity Sources i.e. build the top-level, all inclusive IS
2. remove the sub-container ISs
3. Start a Clean-up job on Primary Security Console - simply viewing the list of these users will
Details of step 1:
 Create new Identity source at top of URL with
 User Base DN: dc=company, dc=com  or top level domain name
 Under Users
 Search Filter: (&(objectClass=User)(objectcategory=person))
 Under Group
 Search Filer: (&(objectClass=group)
The users will show in both Identity Sources, ?which causes problems with being unable to resolve a user that shows in two locations, so there will be authentication failures.?  This needs to happen first, so we can fix with clean-up.
Details of step 3:
With a single top level IS there should be no overlap, however the Authentication Manager database pointer (exuid) needs to be corrected to point to the single isntance of the formerly overlapping duplicate UserIDs (usually GUIDs), so run an Identity source clean-up, listing the user will find user based on GUID, and update the CN part of the exuid pointer into AD to find user in new Identity Source.  You do not even have to run the cleanup, simply listing the users corrects the exuid pointer
WorkaroundDuplicate UserIDs can be allowed by altering a setting in the security console (as someone with the superadmin role) under Setup>Authentication Methods, then enabling the "Non-Unique User IDs:" option.  This setting is  to allow using duplicate UserIDs for Administrative purposes, such as the Security Console  and/or the Self-Service Console, it does NOT allow authentications to agents by different users with duplicate IDs .
Legacy Article IDa63192