AD to OID 10g DIP Sync Of AD Empty Groups (Groups Created With No Member) Fails With "Attribute Member Has No Value" (Or "invalid name found" Message in Windows) (Doc ID 471557.1)

Last updated on AUGUST 08, 2022

Applies to:

Symptoms

Scenario:

Using Active Directory (AD) to Oracle Internet Directory (OID) DIP synchronization 10g.

Using a separate group sync profile as per <Note 287094.1>, and must use the domain editing rule
(i.e., cn=%,<user container,realm>) to flatten the DIT in OID, for example:

DomainRules
OU=<OU1>,DC=<COMPANY>,dc=com:cn=<OU1>,cn=groups,dc=<COMPANY>,dc=com:cn=%,cn=<OU1>,cn=groups,dc=<COMPANY>,dc=com

In order to get the member DN mapped correctly, also using the trunc function to set the correct user container and realm and that works fine, for example:

member: : :group:uniquemember: :groupofUniqueNames:trunc(member,',')+",cn=users,dc=<COMPANY>,dc=com"

Note: Please reference explanations and examples in <Note 261342.1> if needed.

Whenever the groups are created empty in AD, with no members / without any members at all, it causes the sync to fail and stop, and the following exception appears in the trace file:

searchF : (objectclass=group)
CHGLOGFILTER : (&(USNChanged>=137811951)(USNChanged<=137812450)(objectclass=group))
Search Time 115
Search Successful till # 137812450
Search Changes Done
Changenumber uSNChanged: 137811951
targetdn distinguishedName: CN=<GROUPNAME>,OU=<OU1>,DC=<COMPANY>,dc=com
Attribute member has no value
java.util.NoSuchElementException: Attribute member has no value
at javax.naming.directory.BasicAttribute.get(BasicAttribute.java:281)
at oracle.ldap.odip.gsi.ActiveChgReader.createChangeRecord(ActiveChgReader.java:475)
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:562)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
DIP_GEN_CREATECHG_EXCEPTION
Error in executing mapping DIP_GEN_CREATECHG_EXCEPTION
DIP_GEN_CREATECHG_EXCEPTION
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:722)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
DIP_GEN_CREATECHG_EXCEPTION
AdGrpSync:Error in Mapping EngineDIP_GEN_CREATECHG_EXCEPTION
DIP_GEN_CREATECHG_EXCEPTION
at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:741)
at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:306)
at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:186)
AdGrpSync:about to Update exec status
Updated Attributes
orclodipLastExecutionTime: 20071130080036
orclodipConDirLastAppliedChgNum: 137811950
orclOdipSynchronizationStatus: Mapping Failure, Agent Execution Not Attempted
orclOdipSynchronizationErrors:
Updated Attributes
orclodipLastExecutionTime: 20071130080036
orclodipConDirLastAppliedChgNum: 137811950
orclOdipSynchronizationStatus: Agent Execution Successful, Mapping/IMPORT operation Failure
orclOdipSynchronizationErrors: Agent Execution Successful, Mapping/IMPORT operation Failure
Ending Mapping execution.

Note: In Windows it may not throw an exception, but the group is not sync'd either and an
"invalid name found" message may appear at the bottom of the trace section cycle.

After adding a member to the group in AD, then the sync works fine and the group is then created without problems.

Also tried following editing rule, to see if could get the group owner when no member existed, but this does not help:

member|managedby: : :group:uniquemember: :groupofUniqueNames:trunc(member|managedby,',')+",cn=users,dc=<COMPANY>,dc=com"

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.