I have a fresh IDM 4.5.4 UA/Home/SSPR (v3.3.1.5b160r38861) install
running on SLES 11.4.

All patches for all IDM components (Engine, RL, UA, Home, SSPR, etc..)
have been applied as of July 9, 2016.

User Activation is enabled and a simple form is configured that requires
givenName, sn, and jackNumber to identify the user to be activated.
This is in a development environment so I have control over all of the
user attributes and I am 100% positive there is only one User object
with the distinct set of attributes that I am trying to test in the
activation process.

When I enter the correct values in the user activation form, I get the
following in the SSPR log;


2016-07-12T13:31:40Z, TRACE, http.PwmRequest, {1v} POST request for:
/sspr/public/ActivateUser [10.19.41.216]
processAction='activate'
dob='0101'
givenName='scott'
sn='summers'
pwmFormID='THGJkOHpWjujWDc2QxAbQo7POxdTRtcx155e097 8e6ciKkvW'
2016-07-12T13:31:40Z, DEBUG, ldap.UserSearchEngine, {1v} beginning user
search process [10.19.41.216]
2016-07-12T13:31:40Z, DEBUG, ldap.UserSearchEngine, {1v} performing ldap
search for user; searchID=42 profile=default base=o=chwidv
filter=SearchHelper: filter:
(&(objectClass=person)(sn=summers)(givenName=scott )(jackNumber=0101)),
scope: SUBTREE, attributes: [] [10.19.41.216]
2016-07-12T13:31:40Z, TRACE, ldap.UserSearchEngine, {1v} found 1 results
in 3ms; searchID=42 profile=default base=o=chwidv filter=SearchHelper:
filter:
(&(objectClass=person)(sn=summers)(givenName=scott )(jackNumber=0101)),
scope: SUBTREE, attributes: [] [10.19.41.216]
2016-07-12T13:31:40Z, DEBUG, ldap.UserSearchEngine, {1v} performing ldap
search for user; searchID=43 profile=default base=ou=users,o=chwidv
filter=SearchHelper: filter:
(&(objectClass=person)(sn=summers)(givenName=scott )(jackNumber=0101)),
scope: SUBTREE, attributes: [] [10.19.41.216]
2016-07-12T13:31:40Z, TRACE, ldap.UserSearchEngine, {1v} found 1 results
in 2ms; searchID=43 profile=default base=ou=users,o=chwidv
filter=SearchHelper: filter:
(&(objectClass=person)(sn=summers)(givenName=scott )(jackNumber=0101)),
scope: SUBTREE, attributes: [] [10.19.41.216]
2016-07-12T13:31:40Z, DEBUG, ldap.UserSearchEngine, {1v} completed user
search process in 7ms, resultSize=2 [10.19.41.216]
2016-07-12T13:31:40Z, DEBUG, event.AuditManager, discarding event,
INTRUDER_ATTEMPT are being ignored;
event={"instance":"DE57DBA1C5D9ED37","type":"SYSTE M","eventCode":"INTRUDER_ATTEMPT","guid":"f63ab 040-d59e-4d29-9cbd-57a01925d2d1","timestamp":"2016-07-12T19:31:40Z","message":"{\"type\":\"ATTRIBUTE\",\ "subject\":\"givenName:scott\"}"}
2016-07-12T13:31:40Z, DEBUG, event.AuditManager, discarding event,
INTRUDER_ATTEMPT are being ignored;
event={"instance":"DE57DBA1C5D9ED37","type":"SYSTE M","eventCode":"INTRUDER_ATTEMPT","guid":"18ec4 a1d-dcbf-4383-8ca2-b6c58eacf824","timestamp":"2016-07-12T19:31:40Z","message":"{\"type\":\"ATTRIBUTE\",\ "subject\":\"sn:summers\"}"}
2016-07-12T13:31:40Z, DEBUG, event.AuditManager, discarding event,
INTRUDER_ATTEMPT are being ignored;
event={"instance":"DE57DBA1C5D9ED37","type":"SYSTE M","eventCode":"INTRUDER_ATTEMPT","guid":"dea5d 0a1-c3ef-4d3d-a36c-7bf39e8f66b3","timestamp":"2016-07-12T19:31:40Z","message":"{\"type\":\"ATTRIBUTE\",\ "subject\":\"dob:0101\"}"}
2016-07-12T13:31:40Z, DEBUG, event.AuditManager, discarding event,
INTRUDER_ATTEMPT are being ignored;
event={"instance":"DE57DBA1C5D9ED37","type":"SYSTE M","eventCode":"INTRUDER_ATTEMPT","guid":"8b212 764-5091-448d-8a90-de4b53385b18","timestamp":"2016-07-12T19:31:40Z","message":"{\"type\":\"ADDRESS\",\"s ubject\":\"10.19.41.216\"}"}
2016-07-12T13:31:40Z, DEBUG, servlet.ActivateUserServlet, {1v} 5016
ERROR_CANT_MATCH_USER (multiple user matches found) [10.19.41.216]
2016-07-12T13:31:40Z, TRACE, http.PwmResponse, {1v} forwarding to
/WEB-INF/jsp/activateuser.jsp [10.19.41.216]
2016-07-12T13:31:40Z, TRACE, http.SessionManager, {1v} incremented
request counter to r6W02, current
pwmFormID=THGJkOHpWjujWDc2QxAbQo7POxdTRtcx155e0978 e6cr6W02
[10.19.41.216]


According to the log, resultSize=2 is returned from the search meaning
that two objects were matched and so it cannot decide what user to
activate. This is incorrect. When I copy and past the exact same LDAP
search filter
(&(objectClass=person)(sn=summers)(givenName=scott )(jackNumber=0101))
and search from the root of the tree, only one result is returned via
Apache Directory studio.

Curiously, earlier in the trace it says that only one result was found.
2016-07-12T13:31:40Z, TRACE, ldap.UserSearchEngine, {1v} found 1
results in 3ms However, this message appear twice (searchID=42
and searchID=43). It appears that the search is being run twice for
some reason.

I believe this to be a bug but before I report I though I post to see if
anyone else has run into similar issues.


--
rhettplace
------------------------------------------------------------------------
rhettplace's Profile: https://forums.netiq.com/member.php?userid=876
View this thread: https://forums.netiq.com/showthread.php?t=56253