Unable To Enable Referential Integrity (RI) In OID: Cannot successfully update the configuration parameters: Reason [LDAP: error code 53 - There is a violation of Referential Integrity.

(Doc ID 1527559.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Internet Directory - Version 11.1.1.2.0 and later
Information in this document applies to any platform.

Symptoms

Oracle Internet Directory (OID) 10g or 11g, i.e., 11.1.1.6.0, integrated with OIM, OAM, OAAM, Weblogic, and OPSS via Enterprise Deployment Guide (EDG) methods.

The OIM Ldap Sync directory was provisioned from OID bulkload from another OID 11g (only user entries, eg., from the cn=users,dc=mycompany,dc=com container) and maintained by an OIM 10g Connector.


While attempting to change the CN (common name) of a user in OIM 11g, it complains that Referential Integrity (RI) is not configured in OIM and OID, which is an issue described in the following Note:

  Error While Modifying User's Common Name in OIM <Document 1376658.1>

When trying to turn on RI in OID in EM as documented, it fails with:

Cannot successfully update the configuration parameters: Reason [LDAP:
error code 53 - There is a violation of Referential Integrity. Run the
OIDDIAG tool with diagnostic option to collect RI violating entries. ]

 
After running the oiddiag as suggested, it reports hundreds of RI violation on group memberships (dangling DNs) that would need to be corrected before RI can be enabled, for example:

...<snip>...

Report RI Violating Entries--Duplicate Entries, Dangling DN's]
Fri Jan 18 08:35:28 EST 2013
Diagnotics Information:

Report of Dangling DN's
-----------------------

Dangling DN is cn=addressbookadmins,cn=groups,cn=oraclecontext for the attribute "UNIQUEMEMBER" in the entry cn=addressbookadmins,cn=groups,cn=oraclecontext,dc=mycompany,dc=com
Dangling DN is cn=addressbookadmins,cn=groups,cn=oraclecontext for the attribute "UNIQUEMEMBER" in the entry cn=addressbookadmins,cn=groups,cn=oraclecontext
Dangling DN is cn=administrators+orcljaznjavaclass=weblogic.security.principal.WLSGroupImpl for the attribute "UNIQUEMEMBER" in the entry cn=b2bmonitor,cn=roles,cn=b2bui,cn=iamdomain,cn=jpscontext,cn=jpsroot
Dangling DN is cn=administrators+orcljaznjavaclass=weblogic.security.principal.WLSGroupImpl for the attribute "UNIQUEMEMBER" in the entry cn=oin_admin,cn=roles,cn=oinav\#11.1.1.3.0,cn=iamdomain,cn=jpscontext,cn=jpsroot
Dangling DN is cn=orcladmin for the attribute "UNIQUEMEMBER" in the entry cn=oraclecontextadmins,cn=groups,cn=oraclecontext,dc=mycompany,dc=com
Dangling DN is cn=orcladmin for the attribute "UNIQUEMEMBER" in the entry cn=oraclenetadmins,cn=oraclecontext,dc=mycompany,dc=com

...<etc, etc>...

 

The ldif file generated from the oiddiag report modifies all the groups to delete all the members/uniquemembers DNs flagged. But looking at the groups and members in the problem OID, and also comparing with another working (ldap replicated) OID, the members and uniquemembers flagged do exist in OID and their DNs are correct, so these entries are being incorrectly flagged and are not really dangling.

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms