When an attempt to synchronize the user with the roles generate an error
ETA_E_0020<RAC>, Active Dir. Account 'XXXXXX YYYY' on 'Active Directory XXX' read failed: DB Read failed: No such object (ldaps://ca-prov-srv:20391)

From Provisioning Manager, List Accounts there are more than one association to the same ADS account.

Trying to delete the extra association the same error message above is displayed.

Identity Manager 14.x

Some possible root causes:

1. Some problem while syncing between Global User and Accounts, network, ADS performance cause connection issue.

2. As there is an Inclusion that points to a different OU, check if the customer is not moving accounts from one OU to another natively, I mean, using ADS tools instead of IdM UI

3. If they are not moving accounts natively, check the Account Template, the rules in the Account Container and the attribute used to check the OU for all GUs are set properly.

We need to know the bad eTInclusionID to remove it using ldapdelete command.

1. Run the ldapsearch command below to return all Inclusions associated with the ADS account.

ldapsearch -LLL -h <Provisioning Server hostname> -p 20391 -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -W -b "eTSubordinateClass=eTADSAccount,eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=etadb" -s sub "(&(objectClass=eTInclusionObject)(eTRelationship=USERACCOUNT)(eTSubordinateClassEntry=*<account name>*))"

Screenshot of an example where you can find the ADS Account Name from account properties

2. From the result, check the bad inclusion, you can check the "eTSubordinateClassEntry" attribute since it has the value of the Account location.

3. Copy the eTInclusionID of the bad entry:

This is an example:
dn: eTInclusionID=aaaaa-bbbbbb-ccc-ddd-eee@ffffff-gggg-hhhh-iiii
 -jjjj,eTSubordinateClass=eTADSAccount,eTSuperiorClass=eTGlobalUser,eT
 InclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=etad
 b

4. Format the eTInclusionID in one line:
eTInclusionID=aaaaa-bbbbbb-ccc-ddd-eee@ffffff-gggg-hhhh-iiii-jjjj,eTSubordinateClass=eTADSAccount,eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=etadb

5. The eTInclusionID ends with dc=im,dc=etadb, change it to dc=im,dc=eta, like that:
eTInclusionID=aaaaa-bbbbbb-ccc-ddd-eee@ffffff-gggg-hhhh-iiii-jjjj,eTSubordinateClass=eTADSAccount,eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=eta

6. Now, run the ldapdelete command below to remove the bad inclusion

ldapdelete -h <Provisioning Server hostname> -p 20389 -v -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W "<dn of the inclusion object under dc=im,dc=eta>"

Using the eTInclusionID from the example above:
ldapdelete -h <Provisioning Server hostname> -p 20389 -v -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W "eTInclusionID=aaaaa-bbbbbb-ccc-ddd-eee@ffffff-gggg-hhhh-iiii-jjjj,eTSubordinateClass=eTADSAccount,eTSuperiorClass=eTGlobalUser,eT InclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=eta"

You can check the KB article below in case you have an issue other than ADS account

How to use ldapsearch command to check if an account has been correlated