Synchronize User with Roles Fails

Back to discussions

Expand all | Collapse all

Synchronize User with Roles Fails

Jump to Best Answer

1. Synchronize User with Roles Fails

Recommend
Terrance.Jenkins
Posted Jan 24, 2018 12:56 PM

Reply Reply Privately
I am testing creating an Employee from feed, with an xpolicy that initiates provisioning to active directory endpoint. The process is failing at the synchronize user with roles step. If I go into Provisioning manager and manually synchronize the user role it works. Could the long Global ID be the issue, is there a way to create that ID from within the Employee from feed csv file?
2. Re: Synchronize User with Roles Fails

Recommend
Terrance.Jenkins
Posted Jan 25, 2018 10:20 AM

Reply Reply Privately
Error found in etrans log

FAILURE: DB Search (eTGlobalUserName=0e82ea62-c46d-44da-988f-4cd9c206025c)
20180124:111059:TID=b88b70:Search :D852:E851:F: rc: 0x0020 (No such object)
3. Re: Synchronize User with Roles Fails

Recommend
KennyV
Posted Jan 25, 2018 10:25 AM

Reply Reply Privately
You would need to review the etatrans log to see what the error shown is for the account creation. Search for "FAILURE: Connector Server Add". Perhaps the password does not match the requirements on the AD system or perhaps the AD account has a duplicate name to another account in AD already.
4. Re: Synchronize User with Roles Fails

Recommend
Terrance.Jenkins
Posted Jan 25, 2018 10:57 AM

Reply Reply Privately
I found an error but I need help in understanding what it means? I think the long Global ID Active directory does know how to process that

20180124:095559:TID=7b1b70:Search :D817:E812:F: FAILURE: DB Search (eTSubordinateClass=eTAdminProfile)
20180124:095559:TID=7b1b70:Search :D817:E812:F: rc: 0x0020 (No such object)
20180124:095559:TID=7b1b70:Search :D817:E812:F: msg: DB Search failed: No such object (ldaps://ca-prov-srv:20391)
20180124:095559:TID=7b1b70:Bind :E812:----:I: AP-PRIV-CACHE STATS { SIZE: 1 of 10, USED 1 for 1, CAN 0 UNINIT 0 }
20180124:095559:TID=7b1b70:Search :D818:E812:S: DB Search (eTAdminProfileName=SelfAdministrator) Requested by User <anonymous> -
20180124:095559:TID=7b1b70:Search :D818:E812:S:+TenantNotSet
20180124:095559:TID=7b1b70:Search :D818:E812:P: URL: ldaps://ca-prov-srv:20391
20180124:095559:TID=7b1b70:Search :D818:E812:P: base-dn: eTAdminProfileName=SelfAdministrator,eTAdminProfileContainerName=Adm
20180124:095559:TID=7b1b70:Search :D818:E812:P:+ in Profiles,eTNamespaceName=CommonObjects,dc=im
20180124:095559:TID=7b1b70:Search :D818:E812:P: scope : BASE
20180124:095559:TID=7b1b70:Search :D818:E812:P: filter : objectclass=*
20180124:095559:TID=7b1b70:Search :D818:E812:P: attrs : eTAccessControlList, eTUserAdminProfile, eTwfSecurity, eTAdminPermit
20180124:095559:TID=7b1b70:Search :D818:E812:P:+ ted, eTSelfAdminPermitted, eTSuspended, eTPassword, eTFailedLogin, eTFullName
20180124:095559:TID=7b1b70:Search :D818:E812:P:+ , eTLocked, eTCreateDate, eTCreateTime, eTPasswordExpirationDate, eTPasswordE
20180124:095559:TID=7b1b70:Search :D818:E812:P:+ xpirationTime, eTPasswordUpdateDate, eTPasswordUpdateTime, eTPwdPreExpired, e
20180124:095559:TID=7b1b70:Search :D818:E812:P:+ TUpdateDate, eTUpdateTime, eTDisablePasswordExpiration, eTID
20180124:095559:TID=7b1b70:Search :D818:E812:F: SUCCESS: DB Search (eTAdminProfileName=SelfAdministrator), entry-count: 1, attrib
20180124:095559:TID=7b1b70:Search :D818:E812:F:+utes: eTAccessControlList,eTCreateTime,eTSelfAdminPermitted,eTCreateDate,eTAdminP
20180124:095559:TID=7b1b70:Search :D818:E812:F:+ermitted,eTID
20180124:095559:TID=7b1b70:Search :D819:E812:S: DB Search (eTSubordinateClass=eTAdminProfile) Requested by User <anonymous> - Ten
20180124:095559:TID=7b1b70:Search :D819:E812:S:+antNotSet
20180124:095559:TID=7b1b70:Search :D819:E812:P: URL: ldaps://ca-prov-srv:20391
20180124:095559:TID=7b1b70:Search :D819:E812:P: base-dn: eTSubordinateClass=eTAdminProfile,eTSuperiorClass=eTAdminProfile,eTI
20180124:095559:TID=7b1b70:Search :D819:E812:P:+ nclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im
20180124:095559:TID=7b1b70:Search :D819:E812:P: scope : SUBTREE
20180124:095559:TID=7b1b70:Search :D819:E812:P: filter : (eTPID=38071217-875b-40c8-b7f7-6a121734a638)
20180124:095559:TID=7b1b70:Search :D819:E812:P: attrs : eTSubordinateClassEntry
20180124:095559:TID=7b1b70:Search :D819:E812:F: FAILURE: DB Search (eTSubordinateClass=eTAdminProfile)
20180124:095559:TID=7b1b70:Search :D819:E812:F: rc: 0x0020 (No such object)
20180124:095559:TID=7b1b70:Search :D819:E812:F: msg: DB Search failed: No such object (ldaps://ca-prov-srv:20391)
20180124:095559:TID=7b1b70:Bind :E812:----:I: AP-PRIV-CACHE STATS { SIZE: 2 of 10, USED 1 for 1, CAN 0 UNINIT 0 }
20180124:095559:TID=7b1b70:Search :D820:E812:S: DB Search (eTAdminProfileName=WFReadAdministrator) Requested by User <anonymous>
20180124:095559:TID=7b1b70:Search :D820:E812:S:+- TenantNotSet
20180124:095559:TID=7b1b70:Search :D820:E812:P: URL: ldaps://ca-prov-srv:20391
20180124:095559:TID=7b1b70:Search :D820:E812:P: base-dn: eTAdminProfileName=WFReadAdministrator,eTAdminProfileContainerName=A
20180124:095559:TID=7b1b70:Search :D820:E812:P:+ dmin Profiles,eTNamespaceName=CommonObjects,dc=im
20180124:095559:TID=7b1b70:Search :D820:E812:P: scope : BASE
20180124:095559:TID=7b1b70:Search :D820:E812:P: filter : objectclass=*
20180124:095559:TID=7b1b70:Search :D820:E812:P: attrs : eTAccessControlList, eTUserAdminProfile, eTwfSecurity, eTAdminPermit
20180124:095559:TID=7b1b70:Search :D820:E812:P:+ ted, eTSelfAdminPermitted, eTSuspended, eTPassword, eTFailedLogin, eTFullName
20180124:095559:TID=7b1b70:Search :D820:E812:P:+ , eTLocked, eTCreateDate, eTCreateTime, eTPasswordExpirationDate, eTPasswordE
20180124:095559:TID=7b1b70:Search :D820:E812:P:+ xpirationTime, eTPasswordUpdateDate, eTPasswordUpdateTime, eTPwdPreExpired, e
20180124:095559:TID=7b1b70:Search :D820:E812:P:+ TUpdateDate, eTUpdateTime, eTDisablePasswordExpiration, eTID
20180124:095559:TID=7b1b70:Search :D820:E812:F: SUCCESS: DB Search (eTAdminProfileName=WFReadAdministrator), entry-count: 1, attr
20180124:095559:TID=7b1b70:Search :D820:E812:F:+ibutes: eTAccessControlList,eTCreateTime,eTSelfAdminPermitted,eTCreateDate,eTAdmi
20180124:095559:TID=7b1b70:Search :D820:E812:F:+nPermitted,eTID
20180124:095559:TID=7b1b70:Search :D821:E812:S: DB Search (eTSubordinateClass=eTAdminProfile) Requested by User <anonymous> - Ten
20180124:095559:TID=7b1b70:Search :D821:E812:S:+antNotSet
20180124:095559:TID=7b1b70:Search :D821:E812:P: URL: ldaps://ca-prov-srv:20391
20180124:095559:TID=7b1b70:Search :D821:E812:P: base-dn: eTSubordinateClass=eTAdminProfile,eTSuperiorClass=eTAdminProfile,eTI
20180124:095559:TID=7b1b70:Search :D821:E812:P:+ nclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im
20180124:095559:TID=7b1b70:Search :D821:E812:P: scope : SUBTREE
20180124:095559:TID=7b1b70:Search :D821:E812:P: filter : (eTPID=f7147a4d-ecd4-4b60-92aa-4851c0511bdd)
20180124:095559:TID=7b1b70:Search :D821:E812:P: attrs : eTSubordinateClassEntry
5. Re: Synchronize User with Roles Fails

Recommend
KennyV
Posted Jan 25, 2018 11:00 AM

Reply Reply Privately
As I mentioned, you need to look for the Connector Server Add failure. You may be best with opening a support case if you need assistance.
6. Re: Synchronize User with Roles Fails
Best Answer

Recommend
KennyV
Posted Jan 25, 2018 12:27 PM

Reply Reply Privately
support case 00945646 opened for further review by CA Support
7. RE: Re: Synchronize User with Roles Fails

Recommend
Mukul Anand
Posted Sep 16, 2019 02:28 PM

Reply Reply Privately
Hi All,

I am facing a similar issue. I see the below error when I try to assign an Active Directory provisioning role to a user:

20190916:201104:TID=0013e8:Search :D226:C225:F: FAILURE: DB Search (eTSubordinateClass=eTADSAccount)
20190916:201104:TID=0013e8:Search :D226:C225:F: rc: 0x0020 (No such object)
20190916:201104:TID=0013e8:Search :D226:C225:F: msg: DB Search failed: No such object (ldaps://<server_name>:20391)

Can anyone help me with the resolution?

Regards,
Mack

------------------------------
Senior Security Consultant
------------------------------

Original Message
8. RE: Re: Synchronize User with Roles Fails

Recommend
Broadcom Employee

Joffrey Lemoigne
Posted Sep 17, 2019 05:27 AM

Reply Reply Privately
Hi Mukul,

Posting 3 lines of etatrans is not enough to tell you what the issue is. For instance, the "no such object" error you are reporting when looking at user/(ad) account inclusion can be expected and therefore, it's not an actual error.

We would need a full etatrans log logging the prov role assignment to the user to better understand your issue. I don't believe posting such a log in the community is the way to go so I would suggest you to open an issue if you still need assistance with this issue.

Thanks,
Joffrey.

Original Message

Symantec IGA

Synchronize User with Roles Fails

Terrance.JenkinsJan 24, 2018 12:56 PM

Terrance.JenkinsJan 25, 2018 10:20 AM

KennyVJan 25, 2018 10:25 AM

Terrance.JenkinsJan 25, 2018 10:57 AM

KennyVJan 25, 2018 11:00 AM

KennyVJan 25, 2018 12:27 PMBest Answer

Mukul AnandSep 16, 2019 02:28 PM

Joffrey LemoigneSep 17, 2019 05:27 AM

1. Synchronize User with Roles Fails

2. Re: Synchronize User with Roles Fails

3. Re: Synchronize User with Roles Fails

4. Re: Synchronize User with Roles Fails

5. Re: Synchronize User with Roles Fails

6. Re: Synchronize User with Roles Fails Best Answer

7. RE: Re: Synchronize User with Roles Fails

8. RE: Re: Synchronize User with Roles Fails

6. Re: Synchronize User with Roles Fails
Best Answer