000017812 - FIX: Frequent LDAP failure messages 'Selected user name (XXXX) is already in use with a different distinguished name' while running on Archer LDAP Sync

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017812
Applies To RSA Archer 5.x
Issue  FIX:Frequent LDAP failure messages "Selected user name (XXXX) is already in use with a different distinguished name" while running on Archer LDAP Sync 
 

If you get the following error:

 

 System.Exception: Selected user name (XXXX) is already in use with a different distinguished name (CN=XXXX,OU=Users,DC=LDS,DC=Internal,DC= RSA,DC=com). If you would like to update this user, delete the value for distinguished name in the Archer database and run the sync again.

Cause 

The issue stems from the naming and organizational changes that were made to the AD OUs. These organizational units form the distinguished names that we use to synchronize the users between Archer and the LDAP server. For example, your distinguished name in the local AD server is "CN=Amy Blocher,CN=Users,DC=archer-tech,DC=com". If Frank or Troy were to change the OU structure and move you into a organizational unit named "Support", your distinguished name would change to something like "CN=Amy Blocher,OU=Support,DC=archer-tech,DC=com" (note the part that used to be "CN=Users" is now "OU=Support"). After this change, the next time the LDAP sync executes, it won't be able to associate your previously-existing Archer user account with the LDAP user account, because the Archer account is still tied to the old LDAP distinguished name. Therefore the old Archer account would be deactivated by rule (since "CN=Amy Blocher,CN=Users,DC=archer-tech,DC=com" no longer exists in the LDAP system and is assumed to be a defunct account) and a new one would be created (since "CN=Amy Blocher,OU=Support,DC=archer-tech,DC=com" does not exist in the Archer system, so it appears to be a new account).

 

Just wanted to clarify the previous statement. The changing of the OU is important when subsequent synchs occur. The DN for a user is the first piece that the synch will match on, wi th the second being the username. If the synch does not find a match for the DN it will start looking at the username being passed across for a match. If it finds one, it will compare the DNs again and if they don't match the user account will be set to inactive. A message will be logged in the LDAP log(in the UI) that indicates that the username is already in use with a different DN. That's just one scenario where an account would be inactivated. A second would be if the account was no longer retrieved according to the base DN/filter settings in the synch(assuming the inactivate option is "ON" in the configuration). A third, less common, issue would be if the account limit for the license has been exceeded.

Resolution 

Run the following:

 

UPDATE tbluser SET distinguished_name='' where user_type_id=1 or
user_type_id=5 

 

Run LDAP synch once. If group Synch enabled , run it twice.

Legacy Article IDa65906

Attachments

    Outcomes