AD endpoint: Explore & Correlate fails when there is container object under an OU
Article ID: 412329
Updated On:
Products
Issue/Introduction
When there is a container object under an OU, the Explore&Correlate of AD endpoints fails with the following error:
Error in Provisioning Manager when selecting the container object under the OU:
ETA_E_0020<RXX>, Object 'My-Con-Tst' on 'LocalAD' read failed: Unable to determine object class from distinguished name - Return Code: 111
Error printed in the etatrans log:
20251029:135444:TID=000cac:Search :E293:----:S: External Search (eTADSContainerName=My-Con) Requested by User etaadmin - TenantNo
20251029:135444:TID=000cac:Search :E293:----:S:+tSet
20251029:135444:TID=000cac:Search :E293:----:P: base-dn: eTADSContainerName=My-Con,eTADSOrgUnitName=TEST-OU,eTADSDirectoryNam
20251029:135444:TID=000cac:Search :E293:----:P:+ e=LocalAD,eTNamespaceName=ActiveDirectory,dc=im
20251029:135444:TID=000cac:Search :E293:----:P: scope : BASE
20251029:135444:TID=000cac:Search :E293:----:P: filter : (objectClass=eTADSContainer)
20251029:135444:TID=000cac:Search :E293:----:P: attrs : <ALL>
20251029:135444:TID=000cac:Search :E293:----:P: size-limit: 500
20251029:135444:TID=000cac:Search :E293:----:P: time-limit: 90
20251029:135444:TID=000cac:EtaServer :----:----:I: DN attribute "eTADSContainerName" is not valid beneath class "eTADSOrgUnit"
20251029:135444:TID=000cac:EtaServer :----:----:I: DN attribute "eTADSContainerName" is not valid beneath class "eTADSOrgUnit"
20251029:135444:TID=000cac:EtaServer :----:----:I: Unable to determine object class for 'eTADSContainerName=My-Con,eTADSOrgUnitName=
20251029:135444:TID=000cac:EtaServer :----:----:I:+TEST-OU,eTADSDirectoryName=LocalAD,eTNamespaceName=ActiveDirectory,dc=im'
20251029:135444:TID=000cac:Search :E293:----:F: FAILURE: External Search (eTADSContainerName=My-Con)
20251029:135444:TID=000cac:Search :E293:----:F: rc: 0x0001 (Operations error)
20251029:135444:TID=000cac:Search :E293:----:F: msg: :ETA_E_0020<RXX>, Object 'My-Con' on 'LocalAD' read failed: Unable to de
20251029:135444:TID=000cac:Search :E293:----:F:+termine object class from distinguished name
Environment
Identity Manager: v14.5 SP1 (latest release)
Cause
This is a product limitation.
The out-of-the-box Active Directory connector does not support or recognize containers located under an Organizational Unit (OU). The recommended approach is to use Organizational Units (OUs) instead.
The exploration of container objects under an Organizational Unit (OU) has always been excluded by design. Addressing this would require a product enhancement, which needs to be raised as an enhancement request.
Resolution
There is an alternative workaround for this issue.
The workaround is provided in the hotfix HF-DE643354, which includes certain metadata changes. Please open a new support case to request this hotfix.
However, please note that the workaround comes with certain limitations as described below:
When performing a Full Explore & Correlate (i.e., selecting the entire container tree), previously explored objects may be overwritten or deleted. In this mode, Full E&C re-explores and replaces previously discovered objects.
To address this limitation, you can run a Partial Explore & Correlate after completing a Full E&C to ensure that container-related objects remain intact. In practice, this means selecting all containers under an OU for E&C, but not the OU itself. This approach performs E&C for each container individually, rather than at the OU level.
Please note that this workaround is only applicable if the OU does not contain any user objects directly beneath it. If user objects exist at the OU level, excluding the OU from E&C may result in incomplete correlation.
To help visualize the difference between Full and Partial E&C, please refer to the attached images: Full_EC.png and Partial_EC.png.
Additional Information
Feedback
