When adding a "provisioning role" to an Identity manager user an error similar to the one below is recorded in the 'server.log'. Even though a failure is recorded the provisioning role appears to be added successfully.
ERROR [im.provisioning] (Thread-369 (HornetQ-client-global-threads-459619755)) javax.naming.NamingException: [LDAP: error code 1 - :ETA_E_0071<SGU>, Global User '<USER>r' synchronization for additions with existing provisioning roles failed: (accounts created: 1, updated: 0, re-created: 0, failures: 1) ]; remaining name 'eTGlobalUserName=<USER>,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta'
The error recorded in the 'server.log' only records the headline error, more details can be found in the provisioning logs ('etatrans<date>-<number>.log').
For example:
In this scenario the synchronization involves two endpoints, an Active Directory and SalesForce endpoint. As indicated in the error message below, one fails and the other succeeds.
2019-05-10 14:16:32,832 ERROR [im.provisioning] (Thread-369 (HornetQ-client-global-threads-459619755)) javax.naming.NamingException: [LDAP: error code 1 - :ETA_E_0071<SGU>, Global User '<USER>' synchronization for additions with existing provisioning roles failed: (accounts created: 1, updated: 0, re-created: 0, failures: 1) ]; remaining name 'eTGlobalUserName=<USER>,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta'
The failure comes in the Active Directory component. The user cannot be added as the account already exists.
20190510:141630:TID=cd3b70:Add :S960:C957:F: FAILURE: Connector Server Add (eTADSAccountName=<USER>, Another)
20190510:141630:TID=cd3b70:Add :S960:C957:F: rc: 0x0013 (Constraint violation)
20190510:141630:TID=cd3b70:Add :S960:C957:F: msg: Connector Server Add failed: code 19 (CONSTRAINT_VIOLATION): failed to a
20190510:141630:TID=cd3b70:Add :S960:C957:F:+dd entry eTADSAccountName=User, Another,eTADSOrgUnitName=TEST IAM,eTADSOrgUnitNa
20190510:141630:TID=cd3b70:Add :S960:C957:F:+me=POLICY,eTADSOrgUnitName=USERS,eTADSOrgUnitName=<ORG>,eTADSDirectoryName=AD En
20190510:141630:TID=cd3b70:Add :S960:C957:F:+dpoint,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: JCS@<JCSHOSTNAME>: JNDI: [LD
20190510:141630:TID=cd3b70:Add :S960:C957:F:+AP: error code 19 - Constraint Violation - Probable Cause: Duplicate account name
20190510:141630:TID=cd3b70:Add :S960:C957:F:+]: failed to add eTADSAccountName=<USER>, Another,eTADSOrgUnitName=TEST IAM,eTADSO
20190510:141630:TID=cd3b70:Add :S960:C957:F:+rgUnitName=POLICY,eTADSOrgUnitName=USERS,eTADSOrgUnitName=<ORG>,eTADSDirectoryNa
20190510:141630:TID=cd3b70:Add :S960:C957:F:+me=AD Endpoint,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa (ldaps://192.0.2.
20190510:141630:TID=cd3b70:Add :S960:C957:F:+255:20411)
The addition of the Role "ROLE_OPERATIONS_EMPLOYEE" is successful.
20190510:141632:TID=cd3b70:CreateAcct:C966:C964:F: SUCCESS: Child CreateAcct (eTDYNDirectoryName=<directory_name>)
20190510:141632:TID=cd3b70:CreateAcct:C966:C964:F: msg: :ETA_S_0015<AAC>, Account for Global User '<USER>' on Endpoint '<endpoint_
20190510:141632:TID=cd3b70:CreateAcct:C966:C964:F:+name> created successfully
20190510:141632:TID=cd3b70:Add :C964:E845:F: SUCCESS: Child Add (eTInclusionID=1)
20190510:141632:TID=cd3b70:Add :C964:E845:F: msg: :ETA_S_0031<SPO>, Account(s) derived from User '<[email protected]>'
20190510:141632:TID=cd3b70:Add :C964:E845:F:+and Account Template 'ROLE_OPERATIONS_EMPLOYEE' creation or upd
20190510:141632:TID=cd3b70:Add :C964:E845:F:+ate successful: (accounts created: 1, updated: 0, re-created: 0, failures: 0)sful: (accounts created: 1, updated: 0, re-created: 0, failures: 0)