Enabling Referential Integrity (RI) In OID Fails with: Cannot successfully update the configuration parameters: Reason [LDAP: error code 53 - There is a violation of Referential Integrity.
(Doc ID 1527559.1)
Last updated on OCTOBER 28, 2020
Applies to:
Oracle Internet Directory - Version 11.1.1 and laterInformation in this document applies to any platform.
Symptoms
Attempting to change the CN (common name) of a user in Oracle Internet Directory (OID), for example from an integrated application such as Oracle Identity Manager (OIM), it complains that Referential Integrity (RI) is not configured in OID; reference:
How To Enable Referential Integrity In OID 11g (Doc ID 2450603.1)
Ttrying to turn on RI in OID in Enterprise Manager (EM) as documented fails with:
error code 53 - There is a violation of Referential Integrity. Run the
OIDDIAG tool with diagnostic option to collect RI violating entries. ]
After running the oiddiag as suggested, it reports RI violations on group memberships (dangling DNs) that would need to be corrected before RI can be enabled, for example:
...<snip>...
Report RI Violating Entries--Duplicate Entries, Dangling DN's]
Fri Jan 18 08:35:28 EST 2013
Diagnotics Information:
Report of Dangling DN's
-----------------------
Dangling DN is cn=<CN>,cn=groups,cn=oraclecontext for the attribute "UNIQUEMEMBER" in the entry cn=<CN>,cn=groups,cn=oraclecontext,dc=<COMPANY>,dc=com
Dangling DN is cn=<CN>,cn=groups,cn=oraclecontext for the attribute "UNIQUEMEMBER" in the entry cn=<CN>,cn=groups,cn=oraclecontext
Dangling DN is cn=administrators+orcljaznjavaclass=weblogic.security.principal.WLSGroupImpl for the attribute "UNIQUEMEMBER" in the entry cn=<CN>,cn=roles,cn=<CN>,cn=<CN>,cn=jpscontext,cn=jpsroot
Dangling DN is cn=administrators+orcljaznjavaclass=weblogic.security.principal.WLSGroupImpl for the attribute "UNIQUEMEMBER" in the entry cn=<CN>,cn=roles,cn=<CN>,cn=<CN>,cn=jpscontext,cn=jpsroot
Dangling DN is cn=orcladmin for the attribute "UNIQUEMEMBER" in the entry cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=<COMPANY>,dc=com
Dangling DN is cn=orcladmin for the attribute "UNIQUEMEMBER" in the entry cn=oraclenetadmins,cn=oraclecontext,dc=<COMPANY>,dc=com
...<etc, etc>...
The ldif file generated from the oiddiag report modifies all the groups to delete all the members/uniquemembers DNs flagged. But looking at the groups and members in the problem OID, and also comparing with another working (ldap replicated) OID, the members and uniquemembers flagged do exist in OID and their DNs are correct, so these entries are being incorrectly flagged and are not really dangling.
And/Or, oiddiag may report other issues such as inconsistent entries, duplicate entries, missing indexes, etc.
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| References |