Multiple entities with the same principal name

Follow these steps to troubleshoot when the error, “multiple principals were found” is displayed during login.

Problem

An exception similar to the following example occurs:

00000014 exception     1 com.ibm.ws.wim.registry.util.UniqueIdBridge getUniqueUserId 
CWWIM4538E Multiple principals were found for the 'wimadmin' principal name.
00000014 exception     1com.ibm.ws.wim.registry.util.UniqueIdBridge 
getUniqueUserIdcom.ibm.websphere.wim.exception.EntityNotFoundException: 
CWWIM4538E 	Multiple principals were found for the 'wimadmin' principal name.
at com.ibm.ws.wim.registry.util.UniqueIdBridge.getUniqueUserId(UniqueIdBridge.java:168)

In this example, the virtual member manager trace shows that there are two entities with the same principal name, wimadmin, which are returned by the search() API. This causes the exception to occur.

uniqueName="uid=wimadmin,o=defaultWIMFileBasedRealm"
uniqueName="CN=wimadmin,OU=US,DC=COM

Also, in this example, the same name is assigned to primaryAdminId in the security.xml file, as shown here. This causes the “multiple principals” exception to occur during login. The following example is broken into multiple lines for illustration purposes only.

<userRegistries 
xmi:type="security:WIMUserRegistry" 
xmi:id="WIMUserRegistry_1"
serverId="wimadmin" 
serverPassword="{xor}****************" 
realm="WIMREALM" 
ignoreCase="true" 
useRegistryServerId="false" 
primaryAdminId="wimadmin" 
registryClassName="com.ibm.ws.wim.registry.WIMUserRegistry"/>

Solution

Virtual member manager does not allow you to use the same user ID more than once in a realm. For example, you cannot have the same user ID in different LDAP directories, even under different organizational structures. Hence, the user ID must be unique across the different repositories.

Consider a scenario where the primary admin user with the same name wimadmin, exists in a file repository and an LDAP repository. Use the WebSphere Application Server administrative console and follow these steps to remove the duplicate entry from the file repository.

  1. Log in with a valid user ID. A user ID is valid if it exists in this repository and there is no duplicate entry for this user ID.
  2. Create a user ID in the file repository called wimadmin2.
  3. Use the Administrative user roles page to add the user ID, wimadmin2, to the WebSphere Application Server administrator role.
  4. Use the Federated repositories configuration page to add the LDAP repository and base entry to the realm.
  5. Restart the server.
  6. Log in to WebSphere Application Server with the user ID, wimadmin2.
  7. Use the Manage Users page to delete the user ID named wimadmin from the file repository.
  8. Log out.
  9. Log in with the user ID wimadmin from the LDAP repository.

Each repository now has a unique primaryAdminID.


Icon that indicates the type of topic Concept topic



Timestamp icon Last updated: March 6, 2017 0:20
File name: MultipleEntitiesWithSamePrincipalName.html