Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Re: Error - Found multiple matching subjects

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Re: Error - Found multiple matching subjects

Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: Stephen A Sazama <>
  • Cc: Akki Kumar <>, "" <>
  • Subject: RE: [grouper-users] Re: Error - Found multiple matching subjects
  • Date: Wed, 24 May 2017 17:34:32 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
  • Ironport-phdr: 9a23:0ehoORGLR+UTuL7UVXYgh51GYnF86YWxBRYc798ds5kLTJ76psi+bnLW6fgltlLVR4KTs6sC0LuJ9fu5EjVYvN6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCzbL52Lhi6twvcutQZjYd/Nqo8ygbCr2dVdehR2W5mP0+YkQzm5se38p5j8iBQtOwk+sVdT6j0fLk2QKJBAjg+PG87+MPktR/YTQuS/XQcSXkZkgBJAwfe8h73WIr6vzbguep83CmaOtD2TawxVD+/4apnVAPkhSEaPDMi7mrZltJ/g75aoBK5phxw3YjUYJ2ONPFjeq/RZM4WSXZdUspUUSFKH4GyYJYVD+cZPehWsZTzp0cAoxW9CwmjBuLvxSNHiXLtx6I2z/gtHBva0AA8Hd8DtmnfotXvNKcVVOC41KfEwzfDbvJXxzj98pDEeQ0/rPGMR7JwcNHRxUcyHA7Ci1WftYzlPjOU1+sTqWiW9OtgVfmzhGI9tgFxuiagxsEqioXTmI0a103E+Dx/zY0oK9O4T0t7bsSlEJtWryybOZV5Tdg5Q2FvpCk6yaMJuYKhcCgR1psr3x/fa+Ccc4SS/hLjTP6dITh/hHJid7K/gwi9/VK8xe37U8m4yFdKrixZktbSrHAN0QLc6tSZRvdn4EiuxCuP2xjP6uFEO0A7i7DUJIM7zr4qi5oTt1zPETTsmEX3l6+abEQk+vOw5+TnfrXmuoecN5RqhQHkLKQuntKwAfgiPggMRWeb5/6z2KX/8kLjRrVGlOY5nbfBvJ/GP8sboKi5AwhJ0oo58BmwES+q0MkEnXkGKFJJYhSHgJb1O1zIPfv2Du+/jkyynDhx2/zKI7jsDojQInTelbrhc7lw51JAxAc2z91Q+Z1ZB7EELf/2REP9qMDUAgckPwG63+rrEtFw2p4EVW6RH6OUNLnevUKK6+8uJeSHeZUbtyznK/c/4v7jlX85lkEZfamuxZYZcGy1EPN6L0mHeHbhnNUOHXoTsgo5V+PllkeOUTlOZ3auRK084Sw7CIS7AovZXoCtmruB3DulEZJKemBGC1eMEXHye4WDRvcMdCaSIshmkjwHT7SuV4gh1RS2uA/7zbpoMPbU9zUGuZ35yNR5+ujemQwv+TBpCsmd3W6AQ31okm4NRTI5wq9yrEx4x1qGz6R0n+BUGcRW5/xTUwc6MZDcz/Z9C9D3Qg/Be8uGSFamQ9SnHz4xVMk8w94VY0lhAdmikwjD0DSsA78TjbCEGoE78r/E03jrO8l902rG1LUmj1Q+TctPL2qmhrNn9wfNHY7FiliZl720eqQGxy7A72ODzWuVvEFESw58T7/JXXEZZkvKs9v5/EXCQKGyCbg5KAdO19ONKrYZIuHu2G5aSe/jNdKWSiqKknW5AB/AkqiXZZjjfmw1wSDRTkUIjlZA02yBMF10JjazrniaRBduD1P0KQu49OJ+uWG2VGc11ArMclVs0bzz9xII06/PA8gP164J7X9y4w5/G0ywipePU4KN
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Im not saying use external subjects.  Im saying there is an example in that wiki of restricting folders for certain subject sources (in that case external, but in your case whatever source you want, e.g. AD)… know what I mean?


RuleApi.vetoSubjectAssignInFolderIfNotInGroup(SubjectFinder.findRootSubject(), rootStem, null, false, "someSourceId", Stem.Scope.SUB, "", "Person cannot be assigned if in this source");


RuleApi.vetoSubjectAssignInFolderIfNotInGroup(SubjectFinder.findRootSubject(), allowedStem, null, true, "someSourceId", Stem.Scope.SUB, "", "Person can be in this source");







From: Stephen A Sazama [mailto:]
Sent: Wednesday, May 24, 2017 12:08 PM
To: Hyzer, Chris <>
Cc: Akki Kumar <>;
Subject: Re: [grouper-users] Re: Error - Found multiple matching subjects


Hi Chris,


Thanks for the info, we've got the patch now.


As for our other question, I'm not sure if external subjects are what we need (maybe they are). LDAP is a superset of AD. Should we remove AD as a source so only LDAP subjects can be added as members, or do we just need to tweak its configuration? Putting LDAP subjects into the AD-provisioned groups was not adding them into AD so we're missing something.


Thanks for any pointers,



On Sun, May 21, 2017 at 6:05 PM, Hyzer, Chris <> wrote:

I fixed the problem where subjects that have id’s in multiple sources cause an error in the UI.


2.3.0 UI patch #26.


These jiras are in the patch:


Same subject ID in multiple sources causes error:


Subject API diagnostic does not show for admins but might show for non admins:

NOTE: everyone should install the patch for this part…


Can be looping in CSRF when session dies:


Do you still need the other functionality?


Do you not have a source that has all members once?  i.e. is AD a superset of LDAP or viceversa?  Can you make a process that collates all subjects into one place (union of all subjects)?


Yes, you can mark folders as allowed or not allowed.  See the rule at the bottom of this wiki:









From: Stephen A Sazama [mailto:]
Sent: Wednesday, May 17, 2017 1:22 PM
To: Akki Kumar <>
Cc: Hyzer, Chris <>;
Subject: Re: [grouper-users] Re: Error - Found multiple matching subjects


Hi Chris,


I'll see if I can explain what we're trying to do. We have an LDAP source for all of our Grouper people subjects, and we are already provisioning a number of groups back to LDAP. We now want to provision some other groups into our Active Directory, so Akki added that as a source and the result is that we basically have 2 subjects for each person (one in LDAP source and one in AD source), since they are identified by a numeric ID number that is present in both LDAP and AD. That just makes it confusing for users when they go to add a group member and get 2 options that appear to be the same, so we want to figure out what is the best way for us to configure this.


- Do we want AD to be a second source, or can we configure it as something else since we only want to provision out to it? AD subjects wouldn't be needed if we can get it to recognize LDAP subject memberships by the ID and provision those to AD.


- Is there a way to mark groups such that they can only be assigned members from a given source? For example, we would want all groups to use the LDAP source by default, but mark a few to use the AD source so we can provision memberships back to AD.


I would think this scenario (one source of record, multiple LDAP/AD/Database sources to provision to) is fairly common. Please let us know if there are any existing examples we can take a look at.





On Thu, May 11, 2017 at 2:39 PM, Akki Kumar <> wrote:

Hi Chris,


The Sources.xml file has two different source ids (ldap & ad). When I search for the user (Screenshot - a.jpg) in the Member Name or ID field, it spins and errors out (do not show the drop down). However, when I search for the user in the Search for an entity window (Screenshot - c.jpg), and it works. I am little baffled as to why the userid search work in the  Search for an entity window and not for the Member Name or ID.


Is screenshot will fine? I have attached screenshots to below link:





Both source ids, ldap & ad, points to a different directory access protocol.





On Thu, May 11, 2017 at 1:10 PM, Hyzer, Chris <> wrote:

So you have two sources, with different source ids, and you search for a user, and select the user in the drop down?  Then after selecting they user you click add, and I gives an error?


As you know, its best not to have overlaps in subject sources…  any chance you can get a normalized view of users in a database or something?  However, this should work.  If you type in the userid and click add, that wont work, but if you type in a userid, and select the user from the combobox, and click add, that should work.  That associates it with a source id (or at least it should J )


Any chance you can make a quick video (e.g. on your phone) of the screen where you get the error and send it to me so I can see how this happens?






From: Akki Kumar [mailto:]
Sent: Thursday, May 11, 2017 11:35 AM
To: Hyzer, Chris <>
Subject: Error - Found multiple matching subjects


Hi Chris,


I installed Grouper 2.3.0 and created two source adapters, LDAP & AD, in sources.xml. Grouper threw below error when I search for a user (after clicking on the "Add members" button). I believe, it's trying to search for a user in both, LDAP & AD, and that is one of the reason it found multiple subjects. 



  • Is there a way for a grouper to suggest both LDAP& AD user (in the search), instead of throwing an error? 



  • Multiple_Results parameter is set to true
  • All patches are applied to grouper api
  • I set authentication sourceId to ldap



2017-05-11 11:11:39,932: [ajp-nio-8009-exec-2] ERROR GrouperUiRestServlet.doGet(326) -  - Problem calling reflection from URL: edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group.addMemberFilter

edu.internet2.middleware.subject.SubjectNotUniqueException: found multiple matching subjects: 2, <USER_NAME>,

Problem calling method addMemberFilter on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group

        at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.thereCanOnlyBeOne(

        at edu.internet2.middleware.grouper.subj.SourcesXmlResolver.findByIdOrIdentifier(

        at edu.internet2.middleware.grouper.subj.CachingResolver.findByIdOrIdentifier(

        at edu.internet2.middleware.grouper.subj.ValidatingResolver.findByIdOrIdentifier(

        at edu.internet2.middleware.grouper.SubjectFinder.findByIdOrIdentifier(

        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group$1.lookup(

        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group$1.lookup(

        at edu.internet2.middleware.grouper.grouperUi.beans.dojo.DojoComboLogic.logic(

        at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Group.addMemberFilter(

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(

        at java.lang.reflect.Method.invoke(

        at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(

        at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(

        at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(

        at javax.servlet.http.HttpServlet.service(

        at javax.servlet.http.HttpServlet.service(

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(

        at org.owasp.csrfguard.CsrfGuardFilter.doFilter(

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(

        at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(


        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(


        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(

        at org.apache.catalina.core.StandardWrapperValve.invoke(

        at org.apache.catalina.core.StandardContextValve.invoke(

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(

        at org.apache.catalina.core.StandardHostValve.invoke(

        at org.apache.catalina.valves.ErrorReportValve.invoke(

        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(

        at org.apache.catalina.core.StandardEngineValve.invoke(

        at org.apache.catalina.connector.CoyoteAdapter.service(

        at org.apache.coyote.ajp.AjpProcessor.service(

        at org.apache.coyote.AbstractProcessorLight.process(

        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(



        at java.util.concurrent.ThreadPoolExecutor.runWorker(

        at java.util.concurrent.ThreadPoolExecutor$

        at org.apache.tomcat.util.threads.TaskThread$



Thank you,






Archive powered by MHonArc 2.6.19.

Top of Page