Changes Not Synchronized From Active Directory to OID, DIP Log Shows Error "Directories are in a inconsistent state" or "LDAP: error code 19 - Attribute Uniqueness Constraint Violation" (Doc ID 1129163.1)

Last updated on AUGUST 30, 2023

Applies to:

Oracle Internet Directory - Version 10.1.4.3 to 11.1.1 [Release 10gR3 to 11g]
Information in this document applies to any platform.

Symptoms

Changes made to specific Active Directory (AD) users are not being synchronized to Oracle Internet Directory (OID). DIP is reporting error "Directories are in a inconsistent state".

Scenario A

When the following synchronization is configured the problem occurs:

Oracle HR -> OID synchronization (import)
OID -> AD synchronization (export)
AD -> OID synchronization (import)

Example sequence:

1. New user created in Oracle Human Resources (HR).
2. DIP HR -> OID synchronization creates the new user in OID.
3. DIP OID -> AD synchronization creates the new user in AD
4. Same user is modified in AD.
5. DIP AD -> OID synchronization fails to modify the corresponding user in OID.

The AD -> OID synchronization trace shows message 'Directories are in a inconsistent state.'

Example entries from DIP 10g synchronization trace log with profile debug enabled:

Scenario D

DIPs running in HA.

Implemented and customized plugin from: Synchronizing AD Users With DIP Based On AD Group Membership (Doc ID 804615.1)

The sync keeps retrying and not synchronizing anything.

LOG ERRORS
-----------------------
OID ldap server log shows:

[2018-08-02T19:28:22.869153+02:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: <HOSTNAME>] [pid: 32693] [tid: 9] [ecid: ecid# ,0:12] ServerWorker (REG):[[
BEGIN
ConnID:11805 mesgID:5 OpID:4 OpName:modify ConnIP:<IP_ADDRESS> ConnDN:orclodipagentname=<PROFILE_NAME>,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
Server Java Plug-in * Deleting user from OID directly : CN=<USER>,OU=Users,OU=<AD_OU>,DC=<COMPANY>
2018-08-02T19:28:23.86971 * Server Java Plug-in * Attr Mod:uniquemember
2018-08-02T19:28:23.87020 * Server Java Plug-in * Attr Op Type:1
2018-08-02T19:28:23.87153 * Server Java Plug-in * Checking oid dn: uid=CN=<USERNAME2>,OU=Users,OU=<AD_OU>,DC=<COMPANY>
2018-08-02T19:28:23.87183 * Server Java Plug-in * Checking oid dn: uid=CN=<USERNAME3>,OU=Users,OU=<AD_OU>,DC=<COMPANY>
2018-08-02T19:28:23.87214 * Server Java Plug-in * Checking oid dn: uid=CN=<USERNAME1>,OU=Users,OU=<AD_OU>,DC=<COMPANY>
2018-08-02T19:28:23.87243 * Server Java Plug-in * Checking oid dn: *
2018-08-02T19:28:23.87300 * Server Java Plug-in * Error converting the DN:String index out of range: -48
2018-08-02T19:28:23.90528 * Server Java Plug-in * Updating AD user : <USERNAME1>
2018-08-02T19:28:23.90575 * Server Java Plug-in * Searching using filter is : (sAMAccountName=<USERNAME1>)
2018-08-02T19:28:23.90684 * Server Java Plug-in * Calling Search on AD base DN:OU=<AD_OU>,DC=<COMPANY>
2018-08-02T19:28:23.100431 * Server Java Plug-in * Search Completed.
2018-08-02T19:28:23.101209 * Server Java Plug-in * AD DN of the user to be updated = : CN=<USERNAME1>,OU=Users,OU=<AD_OU>,DC=<COMPANY>
...<etc>....
2018-08-02T19:28:23.169303 * Server Java Plug-in * AD DN of the user to be updated = : CN=<USERNAME2>,OU=Users,OU=<AD_OU>,DC=<COMPANY>
2018-08-02T19:28:23.172695 * WARN * sgslprp_retrieveResObject * Plug-in grp_plg.jar returned a null LdapOperation. The LdapOperation will remain unchanged.
2018-08-02T19:28:23.172771 * Entry: gslbpifFreeMod()
2018-08-02T19:28:23.172795 * Entry: gslbpicCopyMod()
2018-08-02T19:28:23.172809 * Entry: gslbpigGetNewMod()
2018-08-02T19:28:23.172827 * Entry: gslbpigGetNewMod()
2018-08-02T19:28:23.172847 * SUCCESS * gslpprm_ExecPreModifyPlugin * Successfully Executed Java Plug-in grp_plg.jar
2018-08-02T19:28:23.172874 * INFO * gslusdnGetRDNParentDnFromDN : Entry
2018-08-02T19:28:23.172894 * INFO * gslusdnGetRDNParentDnFromDN : Exit

DIP logs show the same user being attempted (username User1), with message of no changes required. Plus also shows error:

[2018-08-02T21:00:01.364+02:00] [wls_ods1] [ERROR] [DIP-10225] [oracle.dip.<PROFILE_NAME>] [tid: oracle.ldap.odip.web.DIPSyncWriterThread] [userId: <USERNAME>] [ecid: <ECID>] [APP: DIP#11.1.1.2.0] Exception modifying entry : [LDAP: error code 19 - Constraint Violation].
[2018-08-02T21:00:01.364+02:00] [wls_ods1] [TRACE] [] [oracle.dip.<PROFILE_NAME>] [tid: oracle.ldap.odip.web.DIPSyncWriterThread] [userId: <USERNAME>] [ecid: <ECID>] [APP: DIP#11.1.1.2.0] [SRC_CLASS: oracle.ldap.odip.gsi.LDAPWriter] [SRC_METHOD: modifyRadd] Error in modifying Entry 'cn=<GROUPNAME>,ou=group,cn=groups,dc=<COMPANY>[[
ODIException: Error Modifying Entry in Directory
at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:1352)
at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:1156)
at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:1115)
at oracle.ldap.odip.gsi.LDAPWriter.performWriteChanges(LDAPWriter.java:602)
at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:273)
at oracle.ldap.odip.web.DIPSyncWriterThread.run(DIPSyncWriterThread.java:71)
Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - Constraint Violation]; remaining name ''cn=<GROUPNAME>,ou=group,cn=groups,dc=<COMPANY>'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3119)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3052)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2843)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1479)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:273)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:190)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:172)
at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:1302)
... 5 more

]]
[2018-08-02T21:00:01.365+02:00] [wls_ods1] [ERROR] [DIP-10005] [oracle.dip.<PROFILE_NAME>] [tid: oracle.ldap.odip.web.DIPSyncWriterThread] [userId: <USERNAME>] [ecid: <ECID>] [APP: DIP#11.1.1.2.0] Error in applying map rule.[[
ODIException: Error Modifying Entry in Directory
at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:1352)
at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:1156)
at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:1115)
at oracle.ldap.odip.gsi.LDAPWriter.performWriteChanges(LDAPWriter.java:602)
at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:273)
at oracle.ldap.odip.web.DIPSyncWriterThread.run(DIPSyncWriterThread.java:71)
Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - Constraint Violation]; remaining name 'cn=<GROUPNAME>,ou=group,cn=groups,dc=<COMPANY>
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3119)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3052)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2843)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1479)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:273)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:190)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:172)
at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:1302)

Scenario E

An attribute uniqueness constraint is defined for "uid" attribute in OID.

cn=UID_UNIQUE,cn=unique,cn=common,cn=products,cn=oraclecontext
cn=UID_UNIQUE
orcluniquesubtree=cn=Users, dc=xxxx,dc=xxx,dc=xxx
orcluniqueenable=1
objectclass=orclUniqueConfig
objectclass=top
orcluniquescope=onelevel
orcluniqueobjectclass=inetorgperson
orclnormdn=cn=uid_unique,cn=unique,cn=common,cn=products,cn=oraclecontext
orcluniqueattrname=uid

>> AD-OID sync profile contains the following mapping

samaccountname:: :user:uid: :inetorgperson:samaccountname

In OID, there is an OID native user with uid value as "xxxxxx".
For one of the users in AD, the samaccountname was changed to the same value "xxxxxx" and this caused the DIP sync to try to update the uid attribute of the AD user in OID to "xxxxxx".
Since attribute uniqueness was enabled for "uid" attribute, it failed with the following error

[APP: DIP#11.1.1.2.0] error in execution of Agent thread: <profile name>[[
ODIException: Error Modifying Entry in Directory
at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:1352)
at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:1156)
at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:1115)
at oracle.ldap.odip.gsi.LDAPWriter.performWriteChanges(LDAPWriter.java:602)
at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:273)
at oracle.ldap.odip.web.DIPSyncWriterThread.run(DIPSyncWriterThread.java:71)
Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - Attribute Uniqueness Constraint Violation]

Changes

Cause

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

Changes Not Synchronized From Active Directory to OID, DIP Log Shows Error "Directories are in a inconsistent state" or "LDAP: error code 19 - Attribute Uniqueness Constraint Violation" (Doc ID 1129163.1)

Applies to:

Symptoms

Changes

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!