ETA_E_0071<SGU> synchronization for additions with existing provisioning roles failed

book

Article ID: 132472

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

When adding a "provisioning role" to an Identity manager user an error similar to the one below is recorded in the 'server.log'.  Even though a failure is recorded the provisioning role appears to be added successfully.

ERROR [im.provisioning] (Thread-369 (HornetQ-client-global-threads-459619755)) javax.naming.NamingException: [LDAP: error code 1 - :ETA_E_0071<SGU>, Global User 'auser' synchronization for additions with existing provisioning roles failed: (accounts created: 1, updated: 0, re-created: 0, failures: 1) ]; remaining name 'eTGlobalUserName=auser,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta' 

Cause

Product is working as designed.

Environment

Identity Manager 14.x
Identity Suite 14.x

Resolution

The error recorded in the 'server.log' only records the headline error, more details can be found in the provisioning logs ('etatrans<date>-<number>.log').

For example:

In this scenario the synchronization involves two endpoints, an Active Directory and SalesForce endpoint.  As indicated in the error message below, one fails and the other succeeds. 

2019-05-10 14:16:32,832 ERROR [im.provisioning] (Thread-369 (HornetQ-client-global-threads-459619755)) javax.naming.NamingException: [LDAP: error code 1 - :ETA_E_0071<SGU>, Global User 'auser' synchronization for additions with existing provisioning roles failed: (accounts created: 1, updated: 0, re-created: 0, failures: 1) ]; remaining name 'eTGlobalUserName=auser,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta' 

The failure comes in the Active Directory component. The user cannot be added as the account already exists. 

20190510:141630:TID=cd3b70:Add :S960:C957:F: FAILURE: Connector Server Add (eTADSAccountName=User, Another) 
20190510:141630:TID=cd3b70:Add :S960:C957:F: rc: 0x0013 (Constraint violation) 
20190510:141630:TID=cd3b70:Add :S960:C957:F: msg: Connector Server Add failed: code 19 (CONSTRAINT_VIOLATION): failed to a 
20190510:141630:TID=cd3b70:Add :S960:C957:F:+dd entry eTADSAccountName=User, Another,eTADSOrgUnitName=TEST IAM,eTADSOrgUnitNa 
20190510:141630:TID=cd3b70:Add :S960:C957:F:+me=POLICY,eTADSOrgUnitName=USERS,eTADSOrgUnitName=EFGINS,eTADSDirectoryName=AD En 
20190510:141630:TID=cd3b70:Add :S960:C957:F:+dpoint,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: [email protected]: JNDI: [LD 
20190510:141630:TID=cd3b70:Add :S960:C957:F:+AP: error code 19 - Constraint Violation - Probable Cause: Duplicate account name 
20190510:141630:TID=cd3b70:Add :S960:C957:F:+]: failed to add eTADSAccountName=User, Another,eTADSOrgUnitName=TEST IAM,eTADSO 
20190510:141630:TID=cd3b70:Add :S960:C957:F:+rgUnitName=POLICY,eTADSOrgUnitName=USERS,eTADSOrgUnitName=EFGINS,eTADSDirectoryNa 
20190510:141630:TID=cd3b70:Add :S960:C957:F:+me=AD Endpoint,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa (ldaps://192.168.1. 
20190510:141630:TID=cd3b70:Add :S960:C957:F:+202:20411) 


The addition of the Role "ROLE_OPERATIONS_EMPLOYEE" is successful. 

20190510:141632:TID=cd3b70:CreateAcct:C966:C964:F: SUCCESS: Child CreateAcct (eTDYNDirectoryName=Salesforce Production) 
20190510:141632:TID=cd3b70:CreateAcct:C966:C964:F: msg: :ETA_S_0015<AAC>, Account for Global User 'auser' on Endpoint 'Sale 
20190510:141632:TID=cd3b70:CreateAcct:C966:C964:F:+sforce Production' created successfully 
20190510:141632:TID=cd3b70:Add :C964:E845:F: SUCCESS: Child Add (eTInclusionID=1) 
20190510:141632:TID=cd3b70:Add :C964:E845:F: msg: :ETA_S_0031<SPO>, Account(s) derived from User '[email protected]
20190510:141632:TID=cd3b70:Add :C964:E845:F:+and Account Template 'ROLE_OPERATIONS_EMPLOYEE' creation or upd 
20190510:141632:TID=cd3b70:Add :C964:E845:F:+ate successful: (accounts created: 1, updated: 0, re-created: 0, failures: 0)
sful: (accounts created: 1, updated: 0, re-created: 0, failures: 0)