Migrate DL from IDM but getting ldap already exist error

Hi All,

We have IDM 4.7 in Linux environment. We have an AD driver connected to DC via Remote loader running on DC.

We have 1000 DLs in AD created via IDM.

There was one DL got deleted directly from AD due to some events from IDM ( not sure how, that troubleshoot need to be done).

We are trying to recreate the DL by Migrate from IDVault option in AD driver. When we tried that, we are getting the ldap_already_exist and followed by No_Such_Object.


I already verified on AD, the DL does not exist.

From the log, we see below error. Kindly help if you have come across the same issue or any thoughts.... Thanks in advance.

<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20180125_120000" instance="\MyTree\MyOrg\System\DriverSet\Active Directory" version="4.1.0.0">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="gotsvl1789#20190520181703#99#1:74ec943f-609f-487b-b65b-3f94ec749f60" level="error" type="driver-general">
<ldap-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS">
<client-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS">Already Exists</client-err>
<server-err>00000562: UpdErr: DSID-031A1261, problem 6005 (ENTRY_EXISTS), data 0
</server-err>
<server-err-ex win32-rc="1378"/>
</ldap-err>
<operation-data attempt-to-match="true" unmatched-src-dn="CN=DL_DIV7420_Users"/>
</status>
<status event-id="gotsvl1789#20190520181703#99#1:74ec943f-609f-487b-b65b-3f94ec749f60" level="warning" type="driver-general">
<ldap-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">
<client-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">No Such Object</client-err>
<server-err>0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=DistributionLists,OU=MyOrg,DC=MyOrgnet,DC=MyDomain,DC=net'
</server-err>
<server-err-ex win32-rc="8333"/>
</ldap-err>
<operation-data attempt-to-match="true" unmatched-src-dn="CN=DL_DIV7420_Users"/>
</status>
</output>
</nds>


Regards,
dk
  • On 05/20/2019 03:34 PM, dkdng wrote:
    >
    > We have IDM 4.7 in Linux environment. We have an AD driver connected to
    > DC via Remote loader running on DC.
    >
    > We have 1000 DLs in AD created via IDM.
    >
    > There was one DL got deleted directly from AD due to some events from
    > IDM ( not sure how, that troubleshoot need to be done).


    Yes, definitely figure that out, hopefully via traces if they have not
    rotated yet.

    > We are trying to recreate the DL by Migrate from IDVault option in AD
    > driver. When we tried that, we are getting the ldap_already_exist and
    > followed by No_Such_Object.


    Sounds like it is not matching with an existing object, or else the
    placement is just all wrong.

    Does a new group create work?

    Does the object in the vault still have a processed association linking it
    to the MAD driver config objct? If so, delete that and try again, perhaps.

    > I already verified on AD, the DL does not exist.
    >
    > From the log, we see below error. Kindly help if you have come across
    > the same issue or any thoughts.... Thanks in advance.
    >
    > <nds dtdversion="1.1" ndsversion="8.7">
    > <source>
    > <product asn1id="" build="20180125_120000"
    > instance="\MyTree\MyOrg\System\DriverSet\Active Directory"
    > version="4.1.0.0">AD</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <output>
    > <status
    > event-id="gotsvl1789#20190520181703#99#1:74ec943f-609f-487b-b65b-3f94ec749f60"
    > level="error" type="driver-general">
    > <ldap-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS">
    > <client-err ldap-rc="68"
    > ldap-rc-name="LDAP_ALREADY_EXISTS">Already Exists</client-err>
    > <server-err>00000562: UpdErr: DSID-031A1261, problem 6005
    > (ENTRY_EXISTS), data 0
    > </server-err>
    > <server-err-ex win32-rc="1378"/>
    > </ldap-err>
    > <operation-data attempt-to-match="true"
    > unmatched-src-dn="CN=DL_DIV7420_Users"/>
    > </status>
    > <status
    > event-id="gotsvl1789#20190520181703#99#1:74ec943f-609f-487b-b65b-3f94ec749f60"
    > level="warning" type="driver-general">
    > <ldap-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">
    > <client-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">No
    > Such Object</client-err>
    > <server-err>0000208D: NameErr: DSID-03100238, problem 2001
    > (NO_OBJECT), data 0, best match of:
    > 'OU=DistributionLists,OU=MyOrg,DC=MyOrgnet,DC=MyDomain,DC=net'
    > </server-err>
    > <server-err-ex win32-rc="8333"/>
    > </ldap-err>
    > <operation-data attempt-to-match="true"
    > unmatched-src-dn="CN=DL_DIV7420_Users"/>
    > </status>
    > </output>
    > </nds>


    This is just the output document which results from your attempt to
    create, or something; we need to see the full trace, or at the very least
    the input document which led to this output document, though that will not
    tell us much more about how the whole thing went wrong, so we really do
    need a full trace, level three (3) or higher, from the engine.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • HI,


    Does a new group create work?
    <ANS> new group/dl that works fine.


    Does the object in the vault still have a processed association linking it
    to the MAD driver config objct? If so, delete that and try again, perhaps.

    <ANS> The association already removed. we tried Migrate option, but as i said it didnt work, throwing the error. after that its creating the broken association (none).

    Below is the input doc.. I have removed the most of the member from input as it was having 40K member.. just kept 3 member for here...

    <input>
    <add cached-time="20190520192854.979Z" class-name="group" dest-dn="CN=DL_DIV7420_Users,OU=DistributionLists,OU=MyOrg,dc=MyOrgnet,dc=Mydomain,dc=net" event-id="MyIDMServer001#20190520192854#99#1:ca4d3f69-122c-465c-951f-693f4dca2c12" qualified-src-dn="O=MyOrg\OU=Meta\OU=Distribution Lists\CN=DL_DIV7420_Users" src-dn="\MyTree\MyOrg\Meta\Distribution Lists\DL_DIV7420_Users" src-entry-id="35008" timestamp="0#0">
    <add-attr attr-name="displayName">
    <value timestamp="1558373167#2" type="string">DL_DIV7420_Users</value>
    </add-attr>
    <add-attr attr-name="mail">
    <value timestamp="1558380054#2" type="string">DL_DIV7420_Users@Mydomain.com</value>
    </add-attr>
    <add-attr attr-name="managedBy">
    <value association-ref="01bde4f9a3cc3b4fa9605892f33aa8f0" timestamp="1512252679#7" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\HSAMUEL</value>
    </add-attr>
    <add-attr attr-name="member">
    <value association-ref="554ce70e550bdf4cb0fe1c5f0708f940" timestamp="1558353727#52" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\User001</value>
    <value association-ref="886ae4de9a53414dafa25d55acbc981e" timestamp="1558363137#26" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\User002</value>
    <value association-ref="85f5a23de0b4db47918d8588e76ac6ef" timestamp="1558364137#22" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\User003</value>
    </add-attr>
    <add-attr attr-name="sAMAccountName">
    <value type="string">Distribution Lists-DL_DIV7420_Users</value>
    </add-attr>
    <add-attr attr-name="groupType">
    <value type="string">8</value>
    </add-attr>
    <add-attr attr-name="msExchRequireAuthToSendTo">
    <value type="string">TRUE</value>
    </add-attr>
    </add>
    <modify class-name="group" dest-dn="CN=DL_DIV7420_Users,OU=DistributionLists,OU=MyOrg,dc=MyOrgnet,dc=Mydomain,dc=net" event-id="MyIDMServer001#20190520192854#99#1:ca4d3f69-122c-465c-951f-693f4dca2c12" qualified-src-dn="O=MyOrg\OU=Meta\OU=Distribution Lists\CN=DL_DIV7420_Users" src-dn="\MyTree\MyOrg\Meta\Distribution Lists\DL_DIV7420_Users" src-entry-id="35008">
    <modify-attr attr-name="mailNickname">
    <remove-all-values/>
    <add-value>
    <value type="string">DL_DIV7420_Users</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>

    I need to check with AD Admin team to look into AD in detail why is it throwing the error.

    Regards,
    dk
  • dkdng;2500034 wrote:
    HI,


    Does a new group create work?
    <ANS> new group/dl that works fine.


    Does the object in the vault still have a processed association linking it
    to the MAD driver config objct? If so, delete that and try again, perhaps.

    <ANS> The association already removed. we tried Migrate option, but as i said it didnt work, throwing the error. after that its creating the broken association (none).

    Below is the input doc.. I have removed the most of the member from input as it was having 40K member.. just kept 3 member for here...

    <input>
    <add cached-time="20190520192854.979Z" class-name="group" dest-dn="CN=DL_DIV7420_Users,OU=DistributionLists,OU=MyOrg,dc=MyOrgnet,dc=Mydomain,dc=net" event-id="MyIDMServer001#20190520192854#99#1:ca4d3f69-122c-465c-951f-693f4dca2c12" qualified-src-dn="O=MyOrg\OU=Meta\OU=Distribution Lists\CN=DL_DIV7420_Users" src-dn="\MyTree\MyOrg\Meta\Distribution Lists\DL_DIV7420_Users" src-entry-id="35008" timestamp="0#0">
    <add-attr attr-name="displayName">
    <value timestamp="1558373167#2" type="string">DL_DIV7420_Users</value>
    </add-attr>
    <add-attr attr-name="mail">
    <value timestamp="1558380054#2" type="string">DL_DIV7420_Users@Mydomain.com</value>
    </add-attr>
    <add-attr attr-name="managedBy">
    <value association-ref="01bde4f9a3cc3b4fa9605892f33aa8f0" timestamp="1512252679#7" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\HSAMUEL</value>
    </add-attr>
    <add-attr attr-name="member">
    <value association-ref="554ce70e550bdf4cb0fe1c5f0708f940" timestamp="1558353727#52" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\User001</value>
    <value association-ref="886ae4de9a53414dafa25d55acbc981e" timestamp="1558363137#26" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\User002</value>
    <value association-ref="85f5a23de0b4db47918d8588e76ac6ef" timestamp="1558364137#22" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\User003</value>
    </add-attr>
    <add-attr attr-name="sAMAccountName">
    <value type="string">Distribution Lists-DL_DIV7420_Users</value>
    </add-attr>
    <add-attr attr-name="groupType">
    <value type="string">8</value>
    </add-attr>
    <add-attr attr-name="msExchRequireAuthToSendTo">
    <value type="string">TRUE</value>
    </add-attr>
    </add>
    <modify class-name="group" dest-dn="CN=DL_DIV7420_Users,OU=DistributionLists,OU=MyOrg,dc=MyOrgnet,dc=Mydomain,dc=net" event-id="MyIDMServer001#20190520192854#99#1:ca4d3f69-122c-465c-951f-693f4dca2c12" qualified-src-dn="O=MyOrg\OU=Meta\OU=Distribution Lists\CN=DL_DIV7420_Users" src-dn="\MyTree\MyOrg\Meta\Distribution Lists\DL_DIV7420_Users" src-entry-id="35008">
    <modify-attr attr-name="mailNickname">
    <remove-all-values/>
    <add-value>
    <value type="string">DL_DIV7420_Users</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>

    I need to check with AD Admin team to look into AD in detail why is it throwing the error.

    Regards,
    dk


    According to the log, the driver tried to do 2 operations:
    1. Add DL
    2. Immediately modify group

    Maybe you have issue with the second operation? (Group didn't create yet, but you trying to modify it)
  • On 5/20/2019 5:34 PM, dkdng wrote:
    >
    > Hi All,
    >
    > We have IDM 4.7 in Linux environment. We have an AD driver connected to
    > DC via Remote loader running on DC.
    >
    > We have 1000 DLs in AD created via IDM.
    >
    > There was one DL got deleted directly from AD due to some events from
    > IDM ( not sure how, that troubleshoot need to be done).
    >
    > We are trying to recreate the DL by Migrate from IDVault option in AD
    > driver. When we tried that, we are getting the ldap_already_exist and
    > followed by No_Such_Object.
    >
    >
    > I already verified on AD, the DL does not exist.


    The OU you are trying to place it in does not exist.
    OU=DistributionLists,OU=MyOrg,DC=MyOrgnet,DC=MyDomain,DC=net

    >
    > From the log, we see below error. Kindly help if you have come across
    > the same issue or any thoughts.... Thanks in advance.
    >
    > <nds dtdversion="1.1" ndsversion="8.7">
    > <source>
    > <product asn1id="" build="20180125_120000"
    > instance="\MyTree\MyOrg\System\DriverSet\Active Directory"
    > version="4.1.0.0">AD</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <output>
    > <status
    > event-id="gotsvl1789#20190520181703#99#1:74ec943f-609f-487b-b65b-3f94ec749f60"
    > level="error" type="driver-general">
    > <ldap-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS">
    > <client-err ldap-rc="68"
    > ldap-rc-name="LDAP_ALREADY_EXISTS">Already Exists</client-err>
    > <server-err>00000562: UpdErr: DSID-031A1261, problem 6005
    > (ENTRY_EXISTS), data 0
    > </server-err>
    > <server-err-ex win32-rc="1378"/>
    > </ldap-err>
    > <operation-data attempt-to-match="true"
    > unmatched-src-dn="CN=DL_DIV7420_Users"/>
    > </status>
    > <status
    > event-id="gotsvl1789#20190520181703#99#1:74ec943f-609f-487b-b65b-3f94ec749f60"
    > level="warning" type="driver-general">
    > <ldap-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">
    > <client-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">No
    > Such Object</client-err>
    > <server-err>0000208D: NameErr: DSID-03100238, problem 2001
    > (NO_OBJECT), data 0, best match of:
    > 'OU=DistributionLists,OU=MyOrg,DC=MyOrgnet,DC=MyDomain,DC=net'
    > </server-err>
    > <server-err-ex win32-rc="8333"/>
    > </ldap-err>
    > <operation-data attempt-to-match="true"
    > unmatched-src-dn="CN=DL_DIV7420_Users"/>
    > </status>
    > </output>
    > </nds>
    >
    >
    > Regards,
    > dk
    >
    >


  • We have identified the Issue. The issue is: when we do migrate from IDVault, there are 2 events getting generated
    1. Add DL
    2. Modify member

    we ignored member on Group object in filter. after that when we did migrate, the DL got created and association also added properly.

    Now, we need sync the members. we enabled sync for member attribute in filter. But when we did migrate again, the driver didnt push the members to AD. But only the new members added in IDM,
    getting updated in DL.

    Not the existing members.

    So, we used Send events to driver option in command line to add users to members. but the limitation is , we can send only 1000 members add in one event.

    Is there any better way to sync members?

    Regards,
    dk
  • On 05/21/2019 08:14 AM, dkdng wrote:
    >
    > We have identified the Issue. The issue is: when we do migrate from
    > IDVault, there are 2 events getting generated
    > 1. Add DL
    > 2. Modify member


    Yes, we saw that in the trace; the first one errored with
    "LDAP_ALREADY_EXISTS" and the second failed with "NO_SUCH_OBJECT", even
    though both seemed to have the same destination DN.

    > we ignored member on Group object in filter. after that when we did
    > migrate, the DL got created and association also added properly.


    What s different about the input document in this case? The error, about
    the object existing, should not go away just because one attribute or
    another is present; the object exists, thus you cannot create it no matter
    what the attributes.

    > Now, we need sync the members. we enabled sync for member attribute in
    > filter. But when we did migrate again, the driver didnt push the members
    > to AD. But only the new members added in IDM,
    > getting updated in DL.


    I'm not sure what this means, and without a trace we cannot do more than
    speculate.

    > Not the existing members.


    Doesn't make much sense, unless the existing members do not have
    associations, in which case this is working as designed. Normally a group
    will only synchronize members with associations, as otherwise the IDM
    system does not know how to find the correct members on the application side.

    > So, we used Send events to driver option in command line to add users to
    > members. but the limitation is , we can send only 1000 members add in
    > one event.
    >
    > Is there any better way to sync members?


    It should have worked from the start, at least assuming the group object
    did not exist. That it eventually "created" makes me think your microsoft
    active directory (MAD) environment is experiencing some fairly severe
    replication issues. If it did not in fact create, then you may have
    policy issues causing matching to not be tried when it should have been,
    and perhaps now it was tried allowing a match to take place.

    We really need traces, full ones, not just the final input documents which
    result in errors or successes. The full trace will show logic applied
    which may not make any sense (logic errors), or may show attempts to match
    which fail (configuration errors), or may show other data coming back from
    the application with more detail than we can get any other way.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.