Global User cannot be correlated to the account due to remnant inclusion object


Article ID: 207933


Updated On:


CA Identity Manager


Sometimes we found that IM User or Global User is not correlated correctly to its account. We have run "Synchronize Role with Users" task with "Add missing accounts" box selected but to no avail. We have also checked that the account is not orphan.
How can we address this issue?


There are stale/remnant inclusion object that correlates the account to already deleted (bogus) Global User.


Release : 14.x
Component : IdentityMinder(Identity Manager)


First of all, we can run ldapsearch command to check if the account has related inclusion object (correlated to any Global User). Refer to KB article 207927 on how you can do that.

Check eTSuperiorClassEntry and eTPID values from the ldapsearch command result above. eTSuperiorClassEntry value is the Global User's dn that correlates to the account. eTPID is the eTID of the Global User object.

After this, we need to check if this Global User object is a bogus one, i.e. its eTID is not valid anymore. Refer to KB article 207931 on how you can run ldapsearch command to find current existing Global User's eTID. Then you need to compare the eTID value with eTPID value in the inclusion object. If you found the existing Global User's eTID doesn't match to eTPID of the 1st ldapsearch command result above then we can conclude that the inclusion object is stale and we need to remove this.

Run the following command to remove the stale inclusion object using the following ldapdelete command

ldapdelete -h <Provisioning Directory hostname> -p 20391 -v -n -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -W "<dn of the inclusion object>"

<dn of the inclusion object>: is the dn you have got from the 1st ldapsearch command result above.

After this, make sure Automatic Correlation is set to Yes in Provisioning Manager (see below) and you can run "Synchronize Role with Users" task again with "Add missing accounts" box selected. The account should correlate correctly now.