search cancel

Switch user between LDAP and IAM database results in 'email already exists'

book

Article ID: 202533

calendar_today

Updated On:

Products

CA Cloud Test Mobile CA Application Test

Issue/Introduction

Switching userid between the LDAP and the Identity Access Manager (IAM) embedded database results in 'email already exists'.

The following scenario for a particular userid resulted in an error (email already exists) when trying to create the user: 
1) No LDAP integration. The user was created with email in IAM. There was no problem logging in with this user.
2) The user was deleted in IAM.
3) LDAP integration was configured. No problem logging in with the same userid that exists in LDAP.
4) LDAP integration was disabled. As expected, it is no longer possible to login with the userid.
5) Now when trying to create the userid in IAM, and clicking save, there is an error: email already exists

How can the LDAP user email be cleared such that the internal IAM user can be created.

Environment

Release : 10.6

Component : CA Service Virtualization

Resolution

The user details, including email, are stored in the USER_ENTITY table. If you configure an external database for IAM like SQLServer you can use SQL Server Management Studio to inspect the table.
If you are using the embedded IAM database, this data is stored in the IdentityAccessManager/standalone/data directory.
On Linux you could use grep to verify if the email is stored in the file keycloak.mv.db somewhere. Note that this is not a file that can be edited.

You can simply reset the embedded database but you will loose any previously configured users, groups, user federations etc.
To reset the embedded database:
1) Stop the IdentityAccessManagerService
2) Rename the IdentityAccessManager/standalone/data directory
3) Restart the IdentityAccessManagerService
This should recreate the data folder with subdirectories and files and include the standard default users like admin.