000023601 - Unable to log into eserver with admin account Idetails='sirrus.da.exception.MultipleResultsException: The result set from query...contains unexpected multiple entries - AxM

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023601
Applies ToClearTrust Data Adapter Iplanet 5.5.3
UNIX
IssueIAM: Ct admin acount accidently deleted and recreated. After recreating the account and then trying to login to AdminGUI, I recieve 'An unexpected error occurred.' The logs say: unexpected multiple entries: cn=Default Administrative User ou=ctscAdminRepository dc=mycompany dc=com and cn=21102 ou=ctscAdminRepository dc=mycompany dc=com'

The CT admin account was deleted and recreated manually with ldapmodify.

After recreating the account and then trying to login to AdminGUI, I get 'An unexpected error occurred.'

When looking at the eserver logs I see:

sequence_number=12167,2007-04-27 07:32:39:493 EDT,conn=53,op=2,eventID=a85c916215e111774465062052162,messageID=505,ip=12 7.0.0.1,uname=,urole=,msg=Get role ids for user,msgtype=READ,user=admin sequence_number=12168,2007-04-27 07:32:39:508 EDT,messageID=-2,internal_error,description='The result set from query [(&(objectclass=ctscAdministrativeUserContainer)(ctscUserDN=uid=admin ou=People dc=mycompany dc=com))] contains unexpected multiple entries: cn=Default Administrative User ou=ctscAdminRepository dc=mycompany dc=com and cn=21102 ou=ctscAdminRepository dc=mycompany dc=com',details='sirrus.da.exception.MultipleResultsException: The result set from query [(&(objectclass=ctscAdministrativeUserContainer)(ctscUserDN=uid=admin ou=People dc=mycompany dc=com))] contains unexpected multiple entries: cn=Default Administrative User ou=ctscAdminRepository dc=mycompany dc=com and cn=21102 ou=ctscAdminRepository dc=mycompany dc=com'

 

Cause2 or more accounts have ctscAdministrativeRoleList attribute populated with  cn=Default Administrative Role,ou=ctscAdminRepository,dc=mydomain,dc=com
Resolution

In an iplanet directory server data store installation, you should only find one entry in the policy data store in ldap for cn=default administrative user

You can search this from the cmd line by doing

ldapsearch -L -b dc=<dccompoent1>dc=<dc component 2>

for a test domain dc=cindysworld,dc=com:

ldapsearch -L -b dc=cindysworld,dc=com cn="default administrative user"*  yields the results:

dn: cn=Default Administrative User, ou=ctscAdminRepository, dc=cindysworld,dc=com
ctscUserDN: uid=admin, ou=People, dc=cindysworld,dc=com
objectClass: top
objectClass: dlm1ManagedElement
objectClass: ctscManagedObjectAuxClass
objectClass: ctscAdministrativeUserContainer
cn: Default Administrative User
ctscOwner: cn=Default Administrative Group,ou=ctscAdminRepository,dc=cindysworld,dc=com
ctscAdministrativeRoleList: cn=Default Administrative Role,ou=ctscAdminRepository,dc=cindysworld,dc=com
ctscAdministrativeUserKeywords: SuperUser

Note that whatever ctscUserDN is set ( in the above example, uid=admin,ou=people,dc=cindysworld,dc=com)  is what the proper acct for CT and AXM "super user" is.

This admin account should look like something like this in the example domain dc=cindysworld,dc=com

bash-2.05# ldapsearch -L -D "cn=directory manager" -w (dm password) -b dc=cindysworld,dc=com uid=admin*
dn: uid=admin, ou=People, dc=cindysworld,dc=com
uid: admin
givenName: System
sn: Administrator
cn: admin
ctscPasswordHistory: {SSHA}MQnED/y97vJVYCmQ0P7ZC5AFkJgL1gwmPEz/1A==
mail: root@lobotomy.cindysworld.com
objectClass: top
objectClass: organizationalperson
objectClass: person
objectClass: inetorgperson
objectClass: ctscuserauxclass
ctscFailedLoginCount: 0
ctscPasswordCreationDate: 20070319215258Z
ctscPasswordExpirationDate: 20070518215258Z
ctscAccountStartDate: 19700101000001Z
ctscAccountEndDate: 20380101000000Z
ctscLastResetDate: 20070319215257Z
ctscLockoutExpirationDate: 20070319215258Z
ctscUserKeywords: NotExpired
ctscUserKeywords: PasswordPolicy
userPassword: {SSHA}MQnED/y97vJVYCmQ0P7ZC5AFkJgL1gwmPEz/1A==

Only one account should have the attribute ctscadministrativerolelist= populated with the value of "Default Administrative Role" in the policy branch, example:

ctscAdministrativeRoleList: cn=Default Administrative Role,ou=ctscAdminRepository,dc=cindysworld,dc=com. 

When 2 or more accounts with different dns are populated in the policy branch in this way, you will recieve the error and be unable to login as the administrative super user account for either account. To correct the issue, identify what the ctscuserdn is identified in ou=ctscAdminRepository for Default Administrative user by running the ldapsearch below, looking for the value of ctscUserDN (in this case uid=admin, ou=people,dc=cindysworld,dc=com) and retain the one entry listed, all others need to be removed. 

ldapsearch -L -b dc=cindysworld,dc=com cn="default administrative user"*
dn: cn=Default Administrative User, ou=ctscAdminRepository, dc=cindysworld,dc=
 com
ctscUserDN: uid=admin, ou=People, dc=cindysworld,dc=com
objectClass: top
objectClass: dlm1ManagedElement
objectClass: ctscManagedObjectAuxClass
objectClass: ctscAdministrativeUserContainer
cn: Default Administrative User
ctscOwner: cn=Default Administrative Group,ou=ctscAdminRepository,dc=cindyswor
 ld,dc=com
ctscAdministrativeRoleList: cn=Default Administrative Role,ou=ctscAdminReposit
 ory,dc=cindysworld,dc=com
ctscAdministrativeUserKeywords: SuperUser

It is best practice to back the account you intend to delete up before deleting it, ex:

ldapsearch -L -D "cn=directory manager" -w (dm password) -b dc=cindysworld,dc=com cn=BadAcct > /var/tmp/backupbadAcct.ldif

the proceed to delete duplicate entries from the command line interactively after identifying the duplicate dns

ldapmodify -D "cn=directory manager" -w (dm password) <hit enter>

dn: cn=BadAcct, dc=cindysworld,dc=com <hit return>

changetype: delete <hit return 2 times>

a "deleting entry for cn=duplicate account, dc=cindysworld,dc=com" will appear

after a few seconds, hit ctrl+c to end interative mode.

At this point once the duplicates are removed, you should be able to login to the admin console.

 


 

Legacy Article IDa34621

Attachments

    Outcomes