My Oracle Support Banner

Changes Not Synchronized From Active Directory to OID, DIP Log Shows Error "Directories are in a inconsistent state" or "LDAP: error code 19 - Attribute Uniqueness Constraint Violation" (Doc ID 1129163.1)

Last updated on AUGUST 14, 2018

Applies to:

Oracle Internet Directory - Version 10.1.4.3 to 11.1.1 [Release 10gR3 to 11g]
Information in this document applies to any platform.

Symptoms

Changes made to specific Active Directory (AD) users are not being synchronized to Oracle Internet Directory (OID). DIP is reporting error "Directories are in a inconsistent state".

Scenario A

When the following synchronization is configured the problem occurs:


Example sequence:

1. New user created in Oracle Human Resources (HR).
2. DIP HR -> OID synchronization creates the new user in OID.
3. DIP OID -> AD synchronization creates the new user in AD
4. Same user is modified in AD.
5. DIP AD -> OID synchronization fails to modify the corresponding user in OID.

The AD -> OID synchronization trace shows message 'Directories are in a inconsistent state.'

Example entries from DIP 10g synchronization trace log with profile debug enabled:

....
DN : cn=user43,cn=users,dc=oracle,dc=com
Searching for entry in Naming context:
Directories are in a inconsistent state. The entry cn=user43,cn=users,dc=oracle,dc=com is inconsistent. Please delete the entry from both directories and recreate it with the value required.
Setting Change Success Count : 3282
Setting Change Failure Count : 6
Replacing Attribute orclodipLastSuccessfulExecutionTime in the Profile with value : 20100619113023
Removed Existing attribute
RePopulated Attribute..
Updated Attributes
orclodipLastExecutionTime: 20100619113023
orclodipConDirLastAppliedChgNum: 52540569
orclOdipSynchronizationStatus: Synchronization Successful
orclodipLastSuccessfulExecutionTime: 20100619113023
Ending Mapping execution



Scenario B

When the following is configured the problem occurs:

AD Global Catalog -> OID synchronization (import)
AD forest with multiple AD domains exists, DIP is configured to synchronize users from several AD domains via the Global Catalog or directly from the different AD domains
The DIP synchronization profile is configured to "flatten" the synchronized entries in OID, removing AD subcontainers from the corresponding OID DN and creating the user directly below a specific OID container e.g. cn=users,dc=oracle,dc=com
Multiple user entries having the same name (CN value) exist in the AD forest, they exist in different AD domains with different userPrincipalName and mail values


Example sequence:

1. AD forest has 2 AD domains AD1.COM and AD2.COM.
2. User John Smith is created in AD1.COM, DN is CN=John.Smith,OU=StoreUsers,DC=ad1,DC=com, userPrincipalName=john.smith@ad1.com, mail=john.smith@ad1.com.
3. User John Smith is created in AD2.COM, DN is CN=John.Smith,OU=FieldSupport,DC=ad2,DC=com, userPrincipalName=john.smith@ad2.com, mail=john.smith@ad2.com.
4. DIP synchronization boostrap is performed via the AD Global Catalog hostname and port.
      - DIP creates John Smith user in OID using the entry from AD1.COM because that is returned first in the search results from AD Global Catalog, due to profile DomainRules mapping DIP creates the OID user with DN cn=John.Smith,cn=users,dc=oracle,dc=com.
      - DIP subsequently fails to bootstrap the John Smith user entry from AD2.COM to OID because this maps to the same OID DN cn=John.Smith,cn=users,dc=oracle,dc=com as the previously created AD1.COM user so [LDAP: error code 68 - Entry Already Exists] occurs. This error is overlooked or disregarded in the bootstrap log.
5. User John Smith is modified in AD1.COM: DIP successfully synchronizes the change to OID.
6. User John Smith is modified in AD2.COM: DIP fails to synchronize the change to OID and reports error "Directories are in a inconsistent state".

Example entry from DIP 11g (wls_ods1) log file:

 

Scenario D

DIPs running in HA.

Implemented and customized plugin from:   Synchronizing AD Users With DIP Based On AD Group Membership (Doc ID 804615.1)

The sync keeps retrying and not synchronizing anything.

LOG ERRORS
-----------------------
OID ldap server log shows:

[2018-08-02T19:28:22.869153+02:00] [OID] [TRACE:16] [] [OIDLDAPD] [host: infrahost] [pid: 32693] [tid: 9] [ecid: ecid# ,0:12] ServerWorker (REG):[[
BEGIN
ConnID:11805 mesgID:5 OpID:4  OpName:modify ConnIP:%HOST:PORTConnDN:orclodipagentname=ad_to_oid,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory
Server Java Plug-in * Deleting user from OID directly : CN=user6,OU=Users,OU=AD,DC=Oracle
2018-08-02T19:28:23.86971 * Server Java Plug-in * Attr Mod:uniquemember
2018-08-02T19:28:23.87020 * Server Java Plug-in * Attr Op Type:1
2018-08-02T19:28:23.87153 * Server Java Plug-in * Checking oid dn: uid=CN=user2,OU=Users,OU=AD,DC=Oracle
2018-08-02T19:28:23.87183 * Server Java Plug-in * Checking oid dn: uid=CN=user3,OU=Users,OU=AD,DC=Oracle
2018-08-02T19:28:23.87214 * Server Java Plug-in * Checking oid dn: uid=CN=user1,OU=Users,OU=AD,DC=Oracle
2018-08-02T19:28:23.87243 * Server Java Plug-in * Checking oid dn: *
2018-08-02T19:28:23.87300 * Server Java Plug-in * Error converting the DN:String index out of range: -48
2018-08-02T19:28:23.90528 * Server Java Plug-in * Updating AD user : slombara
2018-08-02T19:28:23.90575 * Server Java Plug-in * Searching using filter is : (sAMAccountName=user1)
2018-08-02T19:28:23.90684 * Server Java Plug-in * Calling Search on AD base DN:OU=AD,DC=Oracle
2018-08-02T19:28:23.100431 * Server Java Plug-in * Search Completed.
2018-08-02T19:28:23.101209 * Server Java Plug-in * AD DN of the user to be updated = : CN=user1,OU=Users,OU=AD,DC=Oracle
...<etc>....
2018-08-02T19:28:23.169303 * Server Java Plug-in * AD DN of the user to be updated = : CN=User2,OU=Users,OU=AD,DC=Oracle
2018-08-02T19:28:23.172695 * WARN * sgslprp_retrieveResObject * Plug-in grp_plg.jar returned a null LdapOperation. The LdapOperation will remain unchanged.
2018-08-02T19:28:23.172771 * Entry: gslbpifFreeMod()
2018-08-02T19:28:23.172795 * Entry: gslbpicCopyMod()
2018-08-02T19:28:23.172809 * Entry: gslbpigGetNewMod()
2018-08-02T19:28:23.172827 * Entry: gslbpigGetNewMod()
2018-08-02T19:28:23.172847 * SUCCESS * gslpprm_ExecPreModifyPlugin * Successfully Executed Java Plug-in grp_plg.jar
2018-08-02T19:28:23.172874 * INFO * gslusdnGetRDNParentDnFromDN : Entry
2018-08-02T19:28:23.172894 * INFO * gslusdnGetRDNParentDnFromDN : Exit


DIP logs show the same user being attempted (username User1), with message of no changes required. Plus also shows error:

[2018-08-02T21:00:01.364+02:00] [wls_ods1] [ERROR] [DIP-10225] [oracle.dip.AD_TO_OID] [tid: oracle.ldap.odip.web.DIPSyncWriterThread] [userId: admin] [ecid: ecid#] [APP: DIP#11.1.1.2.0] Exception modifying entry : [LDAP: error code 19 - Constraint Violation].
[2018-08-02T21:00:01.364+02:00] [wls_ods1] [TRACE] [] [oracle.dip.AD_TO_OID] [tid: oracle.ldap.odip.web.DIPSyncWriterThread] [userId: admin] [ecid: ecid#,1:29488] [APP: DIP#11.1.1.2.0] [SRC_CLASS: oracle.ldap.odip.gsi.LDAPWriter] [SRC_METHOD: modifyRadd] Error in modifying Entry 'cn=usersgroup,ou=group,cn=groups,dc=oracle[[
ODIException: Error Modifying Entry in Directory
at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:1352)
at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:1156)
at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:1115)
at oracle.ldap.odip.gsi.LDAPWriter.performWriteChanges(LDAPWriter.java:602)
at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:273)
at oracle.ldap.odip.web.DIPSyncWriterThread.run(DIPSyncWriterThread.java:71)
Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - Constraint Violation]; remaining name ''cn=usersgroup,ou=group,cn=groups,dc=oracle'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3119)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3052)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2843)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1479)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:273)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:190)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:172)
at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:1302)
... 5 more

]]
[2018-08-02T21:00:01.365+02:00] [wls_ods1] [ERROR] [DIP-10005] [oracle.dip.AD_TO_OID] [tid: oracle.ldap.odip.web.DIPSyncWriterThread] [userId: admin] [ecid: ecid#1:29488] [APP: DIP#11.1.1.2.0] Error in applying map rule.[[
ODIException: Error Modifying Entry in Directory
at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:1352)
at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:1156)
at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:1115)
at oracle.ldap.odip.gsi.LDAPWriter.performWriteChanges(LDAPWriter.java:602)
at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:273)
at oracle.ldap.odip.web.DIPSyncWriterThread.run(DIPSyncWriterThread.java:71)
Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - Constraint Violation]; remaining name 'cn=usersgroup,ou=group,cn=groups,dc=oracle
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3119)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3052)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2843)
at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1479)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:273)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:190)
at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:172)
at oracle.ldap.odip.gsi.LDAPWriter.checkNReplace(LDAPWriter.java:1302)


Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.