000036937 - Access Fulfillment Express (AFX) AD LDAP connector fails to remove AD account with error "Not Allowed On Non-leaf" in RSA Identity Governance and Lifecycle 7.x

Document created by RSA Customer Support Employee on Dec 11, 2018Last modified by RSA Customer Support Employee on Feb 22, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036937
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2, 7.1.0
  • The RSA Identity Governance & Lifecycle Access Fulfillment Express (AFX) AD LDAP connector fails to remove an AD account.   
  • This issue occurs for accounts that have Microsoft ActiveSync enabled which causes the AD account object to have a leaf object.
  • The /home/oracle/AFX/esb/logs/esb.AFX-SETTINGS-ActiveDirectory.log shows the following error message:

2018-11-07 13:47:39.351 [ERROR] org.mule.transport.ldapx.LdapxConnector:337 - Error: LDAPException: Not Allowed On Non-leaf (66) Not Allowed On Non-leaf
LDAPException: Server Message: 00002015: UpdErr: DSID-031A1226, problem 6003 (CANT_ON_NON_LEAF), data 0

LDAPException: Matched DN:
  • This is a known limitation of the Active Directory LDAP Connector when provisioning over the LDAP protocol to Microsoft Active Directory. 
  • This is a limitation of Microsoft Active Directory when using LDAP, this is not a limitation of the RSA Identity Governance & Lifecycle product.   
ResolutionThere is no resolution using the AFX AD LDAP connector. 

RSA Identity Governance & Lifecycle does allow you to use different types of connectors for provisioning to Microsoft using PowerShell.  The Microsoft Exchange 2007, Microsoft Exchange 2010, Microsoft Exchange 2013 and the Office365 connectors all leverage PowerShell to provision against Microsoft products.   In addition the Generic SSH connector can be configured to use PowerShell for provisioning to Microsoft.   These are advanced connectors however and they may require customization or advanced configuration to achieve your business objectives.  They do not directly replace the Active Directory LDAP Connector, they are different connectors that may be used to achieve different purposes.  Customers not familiar with connector design and Microsoft PowerShell scripting should contact RSA Professional Services for assistance in designing a custom connector for this purpose. 
WorkaroundCustomers may use various out of band techniques to remove the ActiveSync association from the account before deleting the account.

Alternatively customers have used techniques to disable the account and then move the account to an OU outside of the collection.   The account can them be deleted out of band.