on 11-11-2013 5:15 AM
Hi,
I pushed some users from AD to SAP IDM 7.2 and after few days i assigned a role to user which also contains privilege to create AD account.
As soon as i assigned the role it throw an error "NAME ALREADY BOUND EXCEPTION" in IDM and after that users data (mail ID and address) appeared in capital letter in IDM.
please help me what should i do to prevent this and what is the root cause of this issue. I have to assign that role to the user and i can't modify the role.
Thanks & Regards,
Chandan Kumar
a good way to get close to those issues is having a look at the job log (the file, not the view in Identity Center).
If I got you right, you've uploaded users from AD to IDM. After that you've assigned a role containing the AD account privilege. So I think IDM tries to assign the account privilege and triggers a create, but this can't work if it is already created in AD.
best regards
Matthias
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I think this is a good approach. But you should also consider giving the account privilege to the identities uploaded from AD. Otherwise you won't have the right privileges assigned and I think you might run into trouble when it comes to deactivation or deletion of AD accounts. Adding a privilege with the modifier {DIRECT_PROVISION=1} adds the privilege without triggering the MX_ADD/DEL_MEMBER_TASK.
best regards
Matthias
Hi Krishna,
I think this should be done, but I'd check this for some identities - just to make sure
Especially it's important that the link has the correct link state.
DIRECT_PROVISION=1 is very helpful when it comes to cleanup and/or repair situaitons.
Another helpful modifier is - BYPASS_VALIDATE_TASK=1 which skips the VALIDATE* tasks - see http://help.sap.com/saphelp_nwidmic72/en/managing_passes/to_passes/dse_specifying_attribute_properti...for details
best regards
Matthias
Hi matt & peter,
i have also attached the job log of NAME ALREADY BOUND EXCEPETION error in jpeg format.
please find the attachment.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This one was much more interesting. I did not know this code off of the top of my head and had to look it up.
This error, 68 has the generic name of LDAP Already Exists (Obviiously your LDAP or JAVA implementation is causing a differently worded error to be thrown)
From what I can tell you're trying to force an ADD operation on a DN that already exists. Please search your LDAP DIT and see if you have another entry with the same DN already.
If you're still getting the error, please post a screenshot of the Destination tab of this Pass so we can try and figure this out.
Can you also tell us what version of AD you are using, along with the version of Java and Windows Server?
Thanks,
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Can you also post the job information for the job thats throwing the error.
Thanks
Peter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
Can you please post the complete log entry showing this error?
Thanks,
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Peeking through the thread it looks like you're throwing 2 different LDAP errors, 32 and 68. I'll address 32 in this reply and see what we can do with 68 in a separate reply.
LDAP Error 32 is a "No such object" Error. This means that some object in the DN you are creating does not yet exist.
Make sure that you have typed in the DN correctly to the dn value of the pass or the constant holding the value. Usually this occurs due to a typing error or transposing a part of the DN (usually the OU structure)
When I have errors like this, I usually like to go to my LDAP Browser and examine the OU/Container I wish to provision to. I then use the browser to grab the DN and then copy it into the MMC console.
Hope this helps!
Matt
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.