000013061 - How do delete a duplicate user or duplicate group or how to run a schedule cleanup job when the identity source no longer exists

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013061
Applies ToThe physical identity source was removed from the network, before first making any changes in Authentication Manager.
RSA Authentication Manager 7.1
 
IssueHow to run a schedule cleanup job when the identity source no longer exists
How to force the cleanup of a particular user or group
Attempting to add a user with the same userid gives the error message
There was a problem processing your request.

 

Cannot add or manage a user with user ID rsatest. Your deployment is configured to not allow duplicate user IDs in a realm. This user ID is already in use by an unresolvable user in this realm.
For more information, see the Troubleshooting appendix in the Administrator's Guide.



Attempting to run a one time clean up job fails with the message in the system log
Unable to connect to LDAP Identity Source
   Skipping identity source: 1acf46bc2cf7b50a03897609cbd4d0ff (myidentitysource.com

Unable to run the cleanup job because the of the error LDAP_CONNECTION_FAILED
com.rsa.ims.admin.dal.ldap.ConnectionException: Error connecting to the identity source
The following identity sources were unavailable while generating the list of unresolvable users
if you want to clean up users from all your identity sources, make sure that all identity sources are available and configure settings again
ResolutionThe cleanup job is unable to run as the LDAP server is no longer reachable. To solve this problem the following should be done
  1. Go to the operations console
  2. Edit the Identity Source that was deleted
  3. On the Connection(s) Tab Change the LDAP URL connection strings to be that of ANY valid LDAP directory. The important thing is that a test connection should be successful
  4. On the Map page, make sure that that User Base DN and USer Group Base DN values point point to values that exist in our LDAP directory
  5. Under Directory Configuration- Users - change the search filter to a value that will produce NO results. eg (&(objectClass=User)(objectcategory=person)(cn=XYZABC123))
  6. Under Directory Configuration - User groups - change the seach filter to a value that will produce no results eg (&(objectClass=group)(cn=XYZABC123))
  7. Save the settings
  8. Go to Security Console Setup -> Identity Sources and Clean Up Unresolveable Users
  9. Select the Grace Period as none
  10. On clicking NEXT all users in the identity source will be displayed and can now be deleted
To force the clean up of  a particular user or group (for example user myuser, group mygroup)
  1. Go to the operations console
  2. Edit the Identity Source that contains the user you wish clean up
  3. On the Connection(s) Tab.Verify the  the LDAP URL connection stringsare correct The important thing is that a test connection should be successful
  4. On the Map page, make sure that that User Base DN and USer Group Base DN values point point to values that exist in our LDAP directory
  5. (OPTIONAL IF ONLY DELETING A GROUP) Under Directory Configuration- Users - change the search filter to a value that will exclude the user we wish to cleanup eg(&(objectClass=User)&(objectcategory=person)&(!(sAMAccountName=myuser)))
  6. (OPTIONAL IF ONLY DELETING A USER) Under Directory Configuration - User groups - change the search filter to a value that will exclude the group we wish to clean up (&(objectClass=group)&(!(cn=mygroup)))
  7. Save the settings
  8. Go to Security Console Setup -> Identity Sources and Clean Up Unresolveable Users
  9. Select the Grace Period as none
  10. On clicking NEXT and user myuser and/or group mygroup will be scheduled for cleanup
PDF with specific LDAP filter for the userID if Clean-up cannot find or if a duplicate UserID can?t be removed.  

This happens when userID gets a new GUID, as when they are deleted then re-created in AD Active Directory
https://knowledge.rsasecurity.com/patches/attach/a54426.pdf
Legacy Article IDa60180

Attachments

    Outcomes