Unable to assign default group membership in Top Secret
book
Article ID: 92619
calendar_today
Updated On:
Products
CA Identity ManagerCA Identity GovernanceCA Identity Portal
Issue/Introduction
Using Top Secret v2 Connector to provision to CA Top Secret 15.0, the connector could successfully provision accounts on CA Top Secret and assign Group Membership AND Default Group Membership. After an upgrade of the Top Secret Endpoint from 15.0 to 16.0, the Default Group Membership isn't getting assigned and account creation fails. If the Default Group Membership is removed from the Account Template and the Group Membership left with its original values, the account gets provisioned successfully. The error message with the Deafult Group Membership is similar to:
:ETA_E_0016, Account for Global User 'XYZ' on Endpoint 'Topsecret' creation failed: :ETA_E_0004, User Account 'XYZ' on 'Topsecret' creation failed: Connector Server Add failed: code 80 (OTHER-LdapNamingException): failed to add entry eTDYNAccountName=XYZ,eTDYNAccountContainerName=ACIDs,eTDYNDirectoryName=Topsecret,eTNamespaceName=CA Top Secret v2,dc=im,dc=etasa: JCS@SERVERNAME: JNDI: [LDAP: error code 80 - LDP2108E TSS error adding tssacid(TSS0626E DEFAULT GROUP NOT DEFINED OR IS NOT IN USER'S LIST OF GROUPS)]: failed to add tssacid=XYZ,tssadmingrp=acids,host=ldap_im,o=MyOrg,c=us (ldaps://servername.ca.com:20411)
The Group used as Default Group exists on the endpoint and it is provisioned as a Group but not as a Default Group.
Environment
Identity Manager 12.6.x CA Top Secret 16.0 CA LDAP Server r15
Cause
CA LDAP Server r15 does not support dynamically setting Default Group (DFTLGRP) if the group is not already set on the account.
Resolution
This issue is resolved by upgrading CA LDAP Server to r15.1 which has special TSS r16 support to dynamically add groups that don't exist before setting DFLTGRP.