dkdng Absent Member.
Absent Member.
314 views

Migrate DL from IDM but getting ldap already exist error

Hi All,

We have IDM 4.7 in Linux environment. We have an AD driver connected to DC via Remote loader running on DC.

We have 1000+ DLs in AD created via IDM.

There was one DL got deleted directly from AD due to some events from IDM ( not sure how, that troubleshoot need to be done).

We are trying to recreate the DL by Migrate from IDVault option in AD driver. When we tried that, we are getting the ldap_already_exist and followed by No_Such_Object.


I already verified on AD, the DL does not exist.

From the log, we see below error. Kindly help if you have come across the same issue or any thoughts.... Thanks in advance.

<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20180125_120000" instance="\MyTree\MyOrg\System\DriverSet\Active Directory" version="4.1.0.0">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="gotsvl1789#20190520181703#99#1:74ec943f-609f-487b-b65b-3f94ec749f60" level="error" type="driver-general">
<ldap-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS">
<client-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS">Already Exists</client-err>
<server-err>00000562: UpdErr: DSID-031A1261, problem 6005 (ENTRY_EXISTS), data 0
</server-err>
<server-err-ex win32-rc="1378"/>
</ldap-err>
<operation-data attempt-to-match="true" unmatched-src-dn="CN=DL_DIV7420_Users"/>
</status>
<status event-id="gotsvl1789#20190520181703#99#1:74ec943f-609f-487b-b65b-3f94ec749f60" level="warning" type="driver-general">
<ldap-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">
<client-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">No Such Object</client-err>
<server-err>0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'OU=DistributionLists,OU=MyOrg,DC=MyOrgnet,DC=MyDomain,DC=net'
</server-err>
<server-err-ex win32-rc="8333"/>
</ldap-err>
<operation-data attempt-to-match="true" unmatched-src-dn="CN=DL_DIV7420_Users"/>
</status>
</output>
</nds>


Regards,
dk
Labels (1)
0 Likes
6 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Migrate DL from IDM but getting ldap already exist error

On 05/20/2019 03:34 PM, dkdng wrote:
>
> We have IDM 4.7 in Linux environment. We have an AD driver connected to
> DC via Remote loader running on DC.
>
> We have 1000+ DLs in AD created via IDM.
>
> There was one DL got deleted directly from AD due to some events from
> IDM ( not sure how, that troubleshoot need to be done).


Yes, definitely figure that out, hopefully via traces if they have not
rotated yet.

> We are trying to recreate the DL by Migrate from IDVault option in AD
> driver. When we tried that, we are getting the ldap_already_exist and
> followed by No_Such_Object.


Sounds like it is not matching with an existing object, or else the
placement is just all wrong.

Does a new group create work?

Does the object in the vault still have a processed association linking it
to the MAD driver config objct? If so, delete that and try again, perhaps.

> I already verified on AD, the DL does not exist.
>
> From the log, we see below error. Kindly help if you have come across
> the same issue or any thoughts.... Thanks in advance.
>
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20180125_120000"
> instance="\MyTree\MyOrg\System\DriverSet\Active Directory"
> version="4.1.0.0">AD</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <output>
> <status
> event-id="gotsvl1789#20190520181703#99#1:74ec943f-609f-487b-b65b-3f94ec749f60"
> level="error" type="driver-general">
> <ldap-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS">
> <client-err ldap-rc="68"
> ldap-rc-name="LDAP_ALREADY_EXISTS">Already Exists</client-err>
> <server-err>00000562: UpdErr: DSID-031A1261, problem 6005
> (ENTRY_EXISTS), data 0
> </server-err>
> <server-err-ex win32-rc="1378"/>
> </ldap-err>
> <operation-data attempt-to-match="true"
> unmatched-src-dn="CN=DL_DIV7420_Users"/>
> </status>
> <status
> event-id="gotsvl1789#20190520181703#99#1:74ec943f-609f-487b-b65b-3f94ec749f60"
> level="warning" type="driver-general">
> <ldap-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">
> <client-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">No
> Such Object</client-err>
> <server-err>0000208D: NameErr: DSID-03100238, problem 2001
> (NO_OBJECT), data 0, best match of:
> 'OU=DistributionLists,OU=MyOrg,DC=MyOrgnet,DC=MyDomain,DC=net'
> </server-err>
> <server-err-ex win32-rc="8333"/>
> </ldap-err>
> <operation-data attempt-to-match="true"
> unmatched-src-dn="CN=DL_DIV7420_Users"/>
> </status>
> </output>
> </nds>


This is just the output document which results from your attempt to
create, or something; we need to see the full trace, or at the very least
the input document which led to this output document, though that will not
tell us much more about how the whole thing went wrong, so we really do
need a full trace, level three (3) or higher, from the engine.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
dkdng Absent Member.
Absent Member.

Re: Migrate DL from IDM but getting ldap already exist error

HI,


Does a new group create work?
<ANS> new group/dl that works fine.


Does the object in the vault still have a processed association linking it
to the MAD driver config objct? If so, delete that and try again, perhaps.

<ANS> The association already removed. we tried Migrate option, but as i said it didnt work, throwing the error. after that its creating the broken association (none).

Below is the input doc.. I have removed the most of the member from input as it was having 40K+ member.. just kept 3 member for here...

<input>
<add cached-time="20190520192854.979Z" class-name="group" dest-dn="CN=DL_DIV7420_Users,OU=DistributionLists,OU=MyOrg,dc=MyOrgnet,dc=Mydomain,dc=net" event-id="MyIDMServer001#20190520192854#99#1:ca4d3f69-122c-465c-951f-693f4dca2c12" qualified-src-dn="O=MyOrg\OU=Meta\OU=Distribution Lists\CN=DL_DIV7420_Users" src-dn="\MyTree\MyOrg\Meta\Distribution Lists\DL_DIV7420_Users" src-entry-id="35008" timestamp="0#0">
<add-attr attr-name="displayName">
<value timestamp="1558373167#2" type="string">DL_DIV7420_Users</value>
</add-attr>
<add-attr attr-name="mail">
<value timestamp="1558380054#2" type="string">DL_DIV7420_Users@Mydomain.com</value>
</add-attr>
<add-attr attr-name="managedBy">
<value association-ref="01bde4f9a3cc3b4fa9605892f33aa8f0" timestamp="1512252679#7" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\HSAMUEL</value>
</add-attr>
<add-attr attr-name="member">
<value association-ref="554ce70e550bdf4cb0fe1c5f0708f940" timestamp="1558353727#52" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\User001</value>
<value association-ref="886ae4de9a53414dafa25d55acbc981e" timestamp="1558363137#26" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\User002</value>
<value association-ref="85f5a23de0b4db47918d8588e76ac6ef" timestamp="1558364137#22" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\User003</value>
</add-attr>
<add-attr attr-name="sAMAccountName">
<value type="string">Distribution Lists-DL_DIV7420_Users</value>
</add-attr>
<add-attr attr-name="groupType">
<value type="string">8</value>
</add-attr>
<add-attr attr-name="msExchRequireAuthToSendTo">
<value type="string">TRUE</value>
</add-attr>
</add>
<modify class-name="group" dest-dn="CN=DL_DIV7420_Users,OU=DistributionLists,OU=MyOrg,dc=MyOrgnet,dc=Mydomain,dc=net" event-id="MyIDMServer001#20190520192854#99#1:ca4d3f69-122c-465c-951f-693f4dca2c12" qualified-src-dn="O=MyOrg\OU=Meta\OU=Distribution Lists\CN=DL_DIV7420_Users" src-dn="\MyTree\MyOrg\Meta\Distribution Lists\DL_DIV7420_Users" src-entry-id="35008">
<modify-attr attr-name="mailNickname">
<remove-all-values/>
<add-value>
<value type="string">DL_DIV7420_Users</value>
</add-value>
</modify-attr>
</modify>
</input>

I need to check with AD Admin team to look into AD in detail why is it throwing the error.

Regards,
dk
0 Likes
Knowledge Partner
Knowledge Partner

Re: Migrate DL from IDM but getting ldap already exist error

dkdng;2500034 wrote:
HI,


Does a new group create work?
<ANS> new group/dl that works fine.


Does the object in the vault still have a processed association linking it
to the MAD driver config objct? If so, delete that and try again, perhaps.

<ANS> The association already removed. we tried Migrate option, but as i said it didnt work, throwing the error. after that its creating the broken association (none).

Below is the input doc.. I have removed the most of the member from input as it was having 40K+ member.. just kept 3 member for here...

<input>
<add cached-time="20190520192854.979Z" class-name="group" dest-dn="CN=DL_DIV7420_Users,OU=DistributionLists,OU=MyOrg,dc=MyOrgnet,dc=Mydomain,dc=net" event-id="MyIDMServer001#20190520192854#99#1:ca4d3f69-122c-465c-951f-693f4dca2c12" qualified-src-dn="O=MyOrg\OU=Meta\OU=Distribution Lists\CN=DL_DIV7420_Users" src-dn="\MyTree\MyOrg\Meta\Distribution Lists\DL_DIV7420_Users" src-entry-id="35008" timestamp="0#0">
<add-attr attr-name="displayName">
<value timestamp="1558373167#2" type="string">DL_DIV7420_Users</value>
</add-attr>
<add-attr attr-name="mail">
<value timestamp="1558380054#2" type="string">DL_DIV7420_Users@Mydomain.com</value>
</add-attr>
<add-attr attr-name="managedBy">
<value association-ref="01bde4f9a3cc3b4fa9605892f33aa8f0" timestamp="1512252679#7" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\HSAMUEL</value>
</add-attr>
<add-attr attr-name="member">
<value association-ref="554ce70e550bdf4cb0fe1c5f0708f940" timestamp="1558353727#52" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\User001</value>
<value association-ref="886ae4de9a53414dafa25d55acbc981e" timestamp="1558363137#26" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\User002</value>
<value association-ref="85f5a23de0b4db47918d8588e76ac6ef" timestamp="1558364137#22" type="dn">\MyTree\MyOrg\Meta\Identities\Active\Employees\User003</value>
</add-attr>
<add-attr attr-name="sAMAccountName">
<value type="string">Distribution Lists-DL_DIV7420_Users</value>
</add-attr>
<add-attr attr-name="groupType">
<value type="string">8</value>
</add-attr>
<add-attr attr-name="msExchRequireAuthToSendTo">
<value type="string">TRUE</value>
</add-attr>
</add>
<modify class-name="group" dest-dn="CN=DL_DIV7420_Users,OU=DistributionLists,OU=MyOrg,dc=MyOrgnet,dc=Mydomain,dc=net" event-id="MyIDMServer001#20190520192854#99#1:ca4d3f69-122c-465c-951f-693f4dca2c12" qualified-src-dn="O=MyOrg\OU=Meta\OU=Distribution Lists\CN=DL_DIV7420_Users" src-dn="\MyTree\MyOrg\Meta\Distribution Lists\DL_DIV7420_Users" src-entry-id="35008">
<modify-attr attr-name="mailNickname">
<remove-all-values/>
<add-value>
<value type="string">DL_DIV7420_Users</value>
</add-value>
</modify-attr>
</modify>
</input>

I need to check with AD Admin team to look into AD in detail why is it throwing the error.

Regards,
dk


According to the log, the driver tried to do 2 operations:
1. Add DL
2. Immediately modify group

Maybe you have issue with the second operation? (Group didn't create yet, but you trying to modify it)
0 Likes
Knowledge Partner
Knowledge Partner

Re: Migrate DL from IDM but getting ldap already exist error

On 5/20/2019 5:34 PM, dkdng wrote:
>
> Hi All,
>
> We have IDM 4.7 in Linux environment. We have an AD driver connected to
> DC via Remote loader running on DC.
>
> We have 1000+ DLs in AD created via IDM.
>
> There was one DL got deleted directly from AD due to some events from
> IDM ( not sure how, that troubleshoot need to be done).
>
> We are trying to recreate the DL by Migrate from IDVault option in AD
> driver. When we tried that, we are getting the ldap_already_exist and
> followed by No_Such_Object.
>
>
> I already verified on AD, the DL does not exist.


The OU you are trying to place it in does not exist.
OU=DistributionLists,OU=MyOrg,DC=MyOrgnet,DC=MyDomain,DC=net

>
> From the log, we see below error. Kindly help if you have come across
> the same issue or any thoughts.... Thanks in advance.
>
> <nds dtdversion="1.1" ndsversion="8.7">
> <source>
> <product asn1id="" build="20180125_120000"
> instance="\MyTree\MyOrg\System\DriverSet\Active Directory"
> version="4.1.0.0">AD</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <output>
> <status
> event-id="gotsvl1789#20190520181703#99#1:74ec943f-609f-487b-b65b-3f94ec749f60"
> level="error" type="driver-general">
> <ldap-err ldap-rc="68" ldap-rc-name="LDAP_ALREADY_EXISTS">
> <client-err ldap-rc="68"
> ldap-rc-name="LDAP_ALREADY_EXISTS">Already Exists</client-err>
> <server-err>00000562: UpdErr: DSID-031A1261, problem 6005
> (ENTRY_EXISTS), data 0
> </server-err>
> <server-err-ex win32-rc="1378"/>
> </ldap-err>
> <operation-data attempt-to-match="true"
> unmatched-src-dn="CN=DL_DIV7420_Users"/>
> </status>
> <status
> event-id="gotsvl1789#20190520181703#99#1:74ec943f-609f-487b-b65b-3f94ec749f60"
> level="warning" type="driver-general">
> <ldap-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">
> <client-err ldap-rc="32" ldap-rc-name="LDAP_NO_SUCH_OBJECT">No
> Such Object</client-err>
> <server-err>0000208D: NameErr: DSID-03100238, problem 2001
> (NO_OBJECT), data 0, best match of:
> 'OU=DistributionLists,OU=MyOrg,DC=MyOrgnet,DC=MyDomain,DC=net'
> </server-err>
> <server-err-ex win32-rc="8333"/>
> </ldap-err>
> <operation-data attempt-to-match="true"
> unmatched-src-dn="CN=DL_DIV7420_Users"/>
> </status>
> </output>
> </nds>
>
>
> Regards,
> dk
>
>


0 Likes
dkdng Absent Member.
Absent Member.

Re: Migrate DL from IDM but getting ldap already exist error

We have identified the Issue. The issue is: when we do migrate from IDVault, there are 2 events getting generated
1. Add DL
2. Modify member

we ignored member on Group object in filter. after that when we did migrate, the DL got created and association also added properly.

Now, we need sync the members. we enabled sync for member attribute in filter. But when we did migrate again, the driver didnt push the members to AD. But only the new members added in IDM,
getting updated in DL.

Not the existing members.

So, we used Send events to driver option in command line to add users to members. but the limitation is , we can send only 1000 members add in one event.

Is there any better way to sync members?

Regards,
dk
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Migrate DL from IDM but getting ldap already exist error

On 05/21/2019 08:14 AM, dkdng wrote:
>
> We have identified the Issue. The issue is: when we do migrate from
> IDVault, there are 2 events getting generated
> 1. Add DL
> 2. Modify member


Yes, we saw that in the trace; the first one errored with
"LDAP_ALREADY_EXISTS" and the second failed with "NO_SUCH_OBJECT", even
though both seemed to have the same destination DN.

> we ignored member on Group object in filter. after that when we did
> migrate, the DL got created and association also added properly.


What s different about the input document in this case? The error, about
the object existing, should not go away just because one attribute or
another is present; the object exists, thus you cannot create it no matter
what the attributes.

> Now, we need sync the members. we enabled sync for member attribute in
> filter. But when we did migrate again, the driver didnt push the members
> to AD. But only the new members added in IDM,
> getting updated in DL.


I'm not sure what this means, and without a trace we cannot do more than
speculate.

> Not the existing members.


Doesn't make much sense, unless the existing members do not have
associations, in which case this is working as designed. Normally a group
will only synchronize members with associations, as otherwise the IDM
system does not know how to find the correct members on the application side.

> So, we used Send events to driver option in command line to add users to
> members. but the limitation is , we can send only 1000 members add in
> one event.
>
> Is there any better way to sync members?


It should have worked from the start, at least assuming the group object
did not exist. That it eventually "created" makes me think your microsoft
active directory (MAD) environment is experiencing some fairly severe
replication issues. If it did not in fact create, then you may have
policy issues causing matching to not be tried when it should have been,
and perhaps now it was tried allowing a match to take place.

We really need traces, full ones, not just the final input documents which
result in errors or successes. The full trace will show logic applied
which may not make any sense (logic errors), or may show attempts to match
which fail (configuration errors), or may show other data coming back from
the application with more detail than we can get any other way.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.