Growing errors of non-existing users in the Identity Manager log during an inbound request.
search cancel

Growing errors of non-existing users in the Identity Manager log during an inbound request.

book

Article ID: 50199

calendar_today

Updated On:

Products

CA Directory CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

Identity Manager may report error message to the log of non existing users. This might be caused due to notifications coming into Identity Manager by the inbound notification service for request over non existing users. In this case, you will need to clean up the notification database in order to stop the notification service from repeating these notifications.

Solution:

You might be seeing errors of users that do not exist in your Identity Manager log file during an inbound transaction ( this means while accepting a change that originated on the provisioning server ). Here is what this might look like:

ERROR [ims.llsdk.directory.jndi] Managed object with unique name uid=user1,ou=people,ou=external,dc=myCompany,dc=com does not exist

ERROR [ims.llsdk.directory.jndi] Managed object with unique name uid=user2,ou=people,ou=external,dc=myCompany,dc=com does not exist

Some of the symptoms of this problem is:

  1. The errors keep on growing. Occasionally you will have more users being reported in this way.

  2. None of the users reported actually exist

  3. None of these errors is ever truncated. Even restarting the IDM server will not help.

If you have the above symptoms then you might have run into the following situation:

Changes originated by the provisioning server are being synchronized into Identity Manager server so that they can be applied into your corporate directory. There is a call back mechanism that handles this synchronization. Such notifications are placed in a notification database and are handled by the notification service that runs on the provisioning server side. This service will periodically collect all listed items from the notification database and submit them to Identity Manager. Identity Manager will then attempt to handle each such notification. If handled , then Identity Manager will report a success code back to the notification service which in turn will remove that item from the notification database and will not resend it. However, if such a request is not acknowledged by Identity Manager back into the notification service then it will issue it again upon its next cycle. Now, these 'User does not exist' errors are logged by Identity Manager in a situation that it can not find the user in the corporate directory. In that case, Identity Manager will not acknowledge the implementation of the request to the notification service. Therefore, these items will remain in the notification DB and will be reissued over and over again. The reason for this to be a growing problem is because any such user that is removed from the corporate directory for which items still exist in the notification service will add up to this group.

While this error is benign, it might not look well especially if this is happening to too many users. What you need to do in this situation is clean up the notification database. Here is the procedure to do that. Once this is done the notification will no longer appear in your Identity Manager log file.

  • Stop IME

  • Stop Prov server : net stop im_ps

  • Stop all DSAs : dxserver stop all

  • Empty the DB: dxemptydb <name of notification service>

  • Start DSAs: dxserver start all

  • Start IMPS: net start im_ps

  • Start IME

Environment

Release:
Component: IDMGR
Powered by Wolken Software