Payment System log error - Customer lookupKeys already exist

Sometime users can be prevented from authentication on a device, while the payment-system.log contains one the following errors:
Customer [guid:<id>, lookupKey:<username>] not created because customer with that guid/lookupKey already exists
Error in communication, Status:BadRequest, Content:'"Customer lookupKeys already exist:<username>".'

Explanation

The usage flow with YSoft Payment System is expected to be the following:

  1. new user is created in LDAP server (or manually in YSoft SafeQ), for this user a money account is created in the Payment System - the unique binding is done using username (and this is considered to be a primary key in the Payment System database)

  2. user uses the system

  3. for example when the student leaves the school, he gets deactivated in the LDAP server and gets deactivated also in the Management server during LDAP replication (or is deactivated via YSoft SafeQ web interface), the money account in the payment system remains present though for further use

  4. when the user resumes studies, his account gets activated again in the LDAP server, account gets into active state in YSoft SafeQ as well and this account remains linked to the money account that is still present in the payment system - any outstanding debt or money left on the account before will be still linked to him

  5. user can use the system again

Typically the issue may arise when administrator deletes the user from LDAP in point 3 (instead of deactivation). This allows the creation of another user account with the same username in the LDAP server although it can be physically a different person (if the old account was just deactivated in LDAP, LDAP server would not allow creation of additional account with the same username). When such a new account is created after deletion, following can happen:

  • If LDAP replication parameters Overwrite user if already exists in database / Merge automatically generated accounts in YSoft SafeQ database / Check username uniqueness are enabled, the old deactivated account in YSoft SafeQ gets reactivated and it is linked to old money account in the Payment System. Old statistical data as well as any money/debt left on the money account is linked to that new physical person.

  • If LDAP replication parameters Overwrite user if already exists in database / Merge automatically generated accounts in YSoft SafeQ database / Check username uniqueness are disabled:
    Note: two outcomes are generally possible, depending on the timing (whether the full LDAP replication is performed in between the account deletion and the new account creation)

    • either the new account in YSoft SafeQ gets created (so the statistical data of previous user are not linked to new physical person) but the money account creation fails as the same username already exists in the Payment System

      • payment-system.log: Customer [guid:, lookupKey:] not created because customer with that guid/lookupKey already exists

      • payment-system.log: Error in communication, Status:BadRequest, Content:'"Customer lookupKeys already exist:<username>".'

    • or the old account in YSoft SafeQ stays active and stays linked to the old money account in the Payment System. Old statistical data as well as any money/debt left on the money account is linked to that new physical person. Some of the attributes from LDAP may not get propagated (such as change in the Cost Center or the name).

Generally speaking for all YSoft SafeQ versions we recommend to reconsider the way how the system is used in regards to the Payment System functionality to minimize the need for manual operations. For example we suggest to keep all mentioned LDAP replication parameters enabled and we also recommend to prevent deletion of accounts in LDAP server (instead of deletion move inactive accounts to a different OU and mark them as inactive - that way the same username cannot be reused in the future and duplicity is prevented). Optionally you could also order a paid customization that would alter the YSoft SafeQ behavior based on the use at the particular customer and based on the expected flow.

Resolution

To resolve an outstanding issue with the accounts that are already affected kindly use the button Remove prepaid accounts in the Payment System Administrative interface > Subjects. This deactivates the money account in a specific manner and the creation of a new one with the same username will not fail. When the button is used, administrator gets a warning that all funds and debts on the account will be forgotten.

YPSui.png

Before using button "Remove prepaid accounts" make sure to update to YSoft SafeQ 5 MU97 / YSoft SafeQ 6 Build 64 (SBT-3323) or newer.

Remove prepaid accounts in older releases:
YSoft SafeQ 5 MU96 and previous
YSoft SafeQ 6 Build 63 and previous

In older releases the button was designed for a specific use case, it was not intended to be used as described in this article. When used on the older release, it may trigger additional issues (conflict on column guid in table customer). Fixing these issues is extremely time consuming and therefore it is very important to update to the latest version before using it. Typically the usage in older version causes authentication issues followed by messages in payment-system.log:

  • No Customers created because customers with following lookupKeys already exist: <id>

  • Entitlement refresh failed: Customer lookupKeys already exist: <id>

  • The entitlement refresh failed with error: Customer lookupKeys already exist: <id>

These errors occurring in the older releases have two possible solutions:

  • deactivate user account in LDAP > create new account in LDAP with unique username > perform the Full LDAP replication (this will create a new user account in YSoft SafeQ and deactivate the old one) > at this point new money account in the Payment System can be created as well (e.g. by sending a print job to YSoft SafeQ or by authentication on the MFD).

  • request assistance at Y Soft help desk, please note solving the issue this way may be more time consuming than the previous option (Y Soft may provide SQL queries that will modify records for problematic user in SQDB5 / SQDB6 database - specifically add a suffix to "login" and "ext_id" and mark the account as disabled - that way next full LDAP replication will create a new account for problematic user without a need of making any changes on the LDAP side > that new account can have new money account created in a Payment System e.g. by authenticating on the Embedded Terminal).