Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000036937 - Access Fulfillment Express (AFX) AD LDAP connector fails to remove AD account with error "Not Allowed On Non-leaf" in RSA Identity Governance and Lifecycle 7.x

Document created by RSA Customer Support

on Dec 11, 2018•Last modified by RSA Customer Support

on Feb 22, 2019

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000036937
Applies To	RSA Product Set: Identity Governance & Lifecycle RSA Version/Condition: 7.0.2, 7.1.0
Issue	The RSA Identity Governance & Lifecycle Access Fulfillment Express (AFX) AD LDAP connector fails to remove an AD account. This issue occurs for accounts that have Microsoft ActiveSync enabled which causes the AD account object to have a leaf object. The /home/oracle/AFX/esb/logs/esb.AFX-SETTINGS-ActiveDirectory.log shows the following error message: 2018-11-07 13:47:39.351 [ERROR] org.mule.transport.ldapx.LdapxConnector:337 - Error: LDAPException: Not Allowed On Non-leaf (66) Not Allowed On Non-leaf LDAPException: Server Message: 00002015: UpdErr: DSID-031A1226, problem 6003 (CANT_ON_NON_LEAF), data 0 LDAPException: Matched DN:
Cause	This is a known limitation of the Active Directory LDAP Connector when provisioning over the LDAP protocol to Microsoft Active Directory. This is a limitation of Microsoft Active Directory when using LDAP, this is not a limitation of the RSA Identity Governance & Lifecycle product.
Resolution	There is no resolution using the AFX AD LDAP connector. RSA Identity Governance & Lifecycle does allow you to use different types of connectors for provisioning to Microsoft using PowerShell. The Microsoft Exchange 2007, Microsoft Exchange 2010, Microsoft Exchange 2013 and the Office365 connectors all leverage PowerShell to provision against Microsoft products. In addition the Generic SSH connector can be configured to use PowerShell for provisioning to Microsoft. These are advanced connectors however and they may require customization or advanced configuration to achieve your business objectives. They do not directly replace the Active Directory LDAP Connector, they are different connectors that may be used to achieve different purposes. Customers not familiar with connector design and Microsoft PowerShell scripting should contact RSA Professional Services for assistance in designing a custom connector for this purpose.
Workaround	Customers may use various out of band techniques to remove the ActiveSync association from the account before deleting the account. Alternatively customers have used techniques to disable the account and then move the account to an OU outside of the collection. The account can them be deleted out of band.

Attachments

Outcomes

0 Comments

Recommended Content