ETA_E_0071<SGU> synchronization for additions with existing provisioning roles failed
Article ID: 132472
Updated On:
Products
CA Identity Manager
CA Identity Governance
CA Identity Portal
Issue/Introduction
When adding a "provisioning role" to an Identity manager user an error similar to the one below is recorded in the 'server.log'. Even though a failure is recorded the provisioning role appears to be added successfully.
ERROR [im.provisioning] (Thread-369 (HornetQ-client-global-threads-459619755)) javax.naming.NamingException: [LDAP: error code 1 - :ETA_E_0071<SGU>, Global User 'auser' synchronization for additions with existing provisioning roles failed: (accounts created: 1, updated: 0, re-created: 0, failures: 1) ]; remaining name 'eTGlobalUserName=auser,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta'
ERROR [im.provisioning] (Thread-369 (HornetQ-client-global-threads-459619755)) javax.naming.NamingException: [LDAP: error code 1 - :ETA_E_0071<SGU>, Global User 'auser' synchronization for additions with existing provisioning roles failed: (accounts created: 1, updated: 0, re-created: 0, failures: 1) ]; remaining name 'eTGlobalUserName=auser,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta'
Environment
Identity Manager 14.x
Identity Suite 14.x
Identity Suite 14.x
Cause
Product is working as designed.
Resolution
The error recorded in the 'server.log' only records the headline error, more details can be found in the provisioning logs ('etatrans<date>-<number>.log').
For example:
In this scenario the synchronization involves two endpoints, an Active Directory and SalesForce endpoint. As indicated in the error message below, one fails and the other succeeds.
2019-05-10 14:16:32,832 ERROR [im.provisioning] (Thread-369 (HornetQ-client-global-threads-459619755)) javax.naming.NamingException: [LDAP: error code 1 - :ETA_E_0071<SGU>, Global User 'auser' synchronization for additions with existing provisioning roles failed: (accounts created: 1, updated: 0, re-created: 0, failures: 1) ]; remaining name 'eTGlobalUserName=auser,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta'
The failure comes in the Active Directory component. The user cannot be added as the account already exists.
20190510:141630:TID=cd3b70:Add :S960:C957:F: FAILURE: Connector Server Add (eTADSAccountName=User, Another)
20190510:141630:TID=cd3b70:Add :S960:C957:F: rc: 0x0013 (Constraint violation)
20190510:141630:TID=cd3b70:Add :S960:C957:F: msg: Connector Server Add failed: code 19 (CONSTRAINT_VIOLATION): failed to a
20190510:141630:TID=cd3b70:Add :S960:C957:F:+dd entry eTADSAccountName=User, Another,eTADSOrgUnitName=TEST IAM,eTADSOrgUnitNa
20190510:141630:TID=cd3b70:Add :S960:C957:F:+me=POLICY,eTADSOrgUnitName=USERS,eTADSOrgUnitName=EFGINS,eTADSDirectoryName=AD En
20190510:141630:TID=cd3b70:Add :S960:C957:F:+dpoint,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: [email protected]: JNDI: [LD
20190510:141630:TID=cd3b70:Add :S960:C957:F:+AP: error code 19 - Constraint Violation - Probable Cause: Duplicate account name
20190510:141630:TID=cd3b70:Add :S960:C957:F:+]: failed to add eTADSAccountName=User, Another,eTADSOrgUnitName=TEST IAM,eTADSO
20190510:141630:TID=cd3b70:Add :S960:C957:F:+rgUnitName=POLICY,eTADSOrgUnitName=USERS,eTADSOrgUnitName=EFGINS,eTADSDirectoryNa
20190510:141630:TID=cd3b70:Add :S960:C957:F:+me=AD Endpoint,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa (ldaps://192.168.1.
20190510:141630:TID=cd3b70:Add :S960:C957:F:+202:20411)
The addition of the Role "ROLE_OPERATIONS_EMPLOYEE" is successful.
20190510:141632:TID=cd3b70:CreateAcct:C966:C964:F: SUCCESS: Child CreateAcct (eTDYNDirectoryName=Salesforce Production)
20190510:141632:TID=cd3b70:CreateAcct:C966:C964:F: msg: :ETA_S_0015<AAC>, Account for Global User 'auser' on Endpoint 'Sale
20190510:141632:TID=cd3b70:CreateAcct:C966:C964:F:+sforce Production' created successfully
20190510:141632:TID=cd3b70:Add :C964:E845:F: SUCCESS: Child Add (eTInclusionID=1)
20190510:141632:TID=cd3b70:Add :C964:E845:F: msg: :ETA_S_0031<SPO>, Account(s) derived from User '[email protected]'
20190510:141632:TID=cd3b70:Add :C964:E845:F:+and Account Template 'ROLE_OPERATIONS_EMPLOYEE' creation or upd
20190510:141632:TID=cd3b70:Add :C964:E845:F:+ate successful: (accounts created: 1, updated: 0, re-created: 0, failures: 0)sful: (accounts created: 1, updated: 0, re-created: 0, failures: 0)
For example:
In this scenario the synchronization involves two endpoints, an Active Directory and SalesForce endpoint. As indicated in the error message below, one fails and the other succeeds.
2019-05-10 14:16:32,832 ERROR [im.provisioning] (Thread-369 (HornetQ-client-global-threads-459619755)) javax.naming.NamingException: [LDAP: error code 1 - :ETA_E_0071<SGU>, Global User 'auser' synchronization for additions with existing provisioning roles failed: (accounts created: 1, updated: 0, re-created: 0, failures: 1) ]; remaining name 'eTGlobalUserName=auser,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta'
The failure comes in the Active Directory component. The user cannot be added as the account already exists.
20190510:141630:TID=cd3b70:Add :S960:C957:F: FAILURE: Connector Server Add (eTADSAccountName=User, Another)
20190510:141630:TID=cd3b70:Add :S960:C957:F: rc: 0x0013 (Constraint violation)
20190510:141630:TID=cd3b70:Add :S960:C957:F: msg: Connector Server Add failed: code 19 (CONSTRAINT_VIOLATION): failed to a
20190510:141630:TID=cd3b70:Add :S960:C957:F:+dd entry eTADSAccountName=User, Another,eTADSOrgUnitName=TEST IAM,eTADSOrgUnitNa
20190510:141630:TID=cd3b70:Add :S960:C957:F:+me=POLICY,eTADSOrgUnitName=USERS,eTADSOrgUnitName=EFGINS,eTADSDirectoryName=AD En
20190510:141630:TID=cd3b70:Add :S960:C957:F:+dpoint,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: [email protected]: JNDI: [LD
20190510:141630:TID=cd3b70:Add :S960:C957:F:+AP: error code 19 - Constraint Violation - Probable Cause: Duplicate account name
20190510:141630:TID=cd3b70:Add :S960:C957:F:+]: failed to add eTADSAccountName=User, Another,eTADSOrgUnitName=TEST IAM,eTADSO
20190510:141630:TID=cd3b70:Add :S960:C957:F:+rgUnitName=POLICY,eTADSOrgUnitName=USERS,eTADSOrgUnitName=EFGINS,eTADSDirectoryNa
20190510:141630:TID=cd3b70:Add :S960:C957:F:+me=AD Endpoint,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa (ldaps://192.168.1.
20190510:141630:TID=cd3b70:Add :S960:C957:F:+202:20411)
The addition of the Role "ROLE_OPERATIONS_EMPLOYEE" is successful.
20190510:141632:TID=cd3b70:CreateAcct:C966:C964:F: SUCCESS: Child CreateAcct (eTDYNDirectoryName=Salesforce Production)
20190510:141632:TID=cd3b70:CreateAcct:C966:C964:F: msg: :ETA_S_0015<AAC>, Account for Global User 'auser' on Endpoint 'Sale
20190510:141632:TID=cd3b70:CreateAcct:C966:C964:F:+sforce Production' created successfully
20190510:141632:TID=cd3b70:Add :C964:E845:F: SUCCESS: Child Add (eTInclusionID=1)
20190510:141632:TID=cd3b70:Add :C964:E845:F: msg: :ETA_S_0031<SPO>, Account(s) derived from User '[email protected]'
20190510:141632:TID=cd3b70:Add :C964:E845:F:+and Account Template 'ROLE_OPERATIONS_EMPLOYEE' creation or upd
20190510:141632:TID=cd3b70:Add :C964:E845:F:+ate successful: (accounts created: 1, updated: 0, re-created: 0, failures: 0)sful: (accounts created: 1, updated: 0, re-created: 0, failures: 0)
Feedback
Yes
No
Powered by
