Authentication Manager 'Unresolvable User' Error or Cleanup Job Fails After Identity Source Removal
2 days ago
Originally Published: 2012-11-27
Article Number
000046492
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 7.1, 8.x
Issue

When an external LDAP identity source has been removed from the environment or is no longer reachable, administrators may encounter one or both of the following errors in RSA Authentication Manager.

Symptom 1 — Duplicate User ID Error in the Security Console:

When attempting to add a user whose user ID already exists as an unresolvable record, the following error appears:

There was a problem processing your request. Cannot add or manage a user with user ID <user_ID>.
Your deployment is configured to not allow duplicate user IDs in a realm.
This user ID is already in use by an unresolvable user in this realm.
For more information, see the Troubleshooting appendix in the Administrator's Guide.

Symptom 2 — Cleanup Job Fails in the System Log:

When running a one-time cleanup job, the following errors appear in the system log:

Unable to connect to LDAP Identity Source
Skipping identity source: <identity_source_ID> (<identity_source_name>)
Unable to run the cleanup job because of the error LDAP_CONNECTION_FAILED
com.rsa.ims.admin.dal.ldap.ConnectionException: Error connecting to the identity source
The following identity sources were unavailable while generating the list of unresolvable users.
If you want to clean up users from all your identity sources, make sure that all identity sources
are available and configure settings again.
Cause

When an LDAP identity source is deleted or becomes unreachable, Authentication Manager retains stale references to users and groups from that identity source in its internal database. These "unresolvable" records still occupy user IDs in the realm but can no longer be authenticated or managed.

The scheduled cleanup job is designed to remove these stale records — but it requires a live connection to the identity source to resolve users before deleting them. When the identity source no longer exists or is unreachable, the cleanup job cannot establish that connection and fails with LDAP_CONNECTION_FAILED, leaving the unresolvable records in place.

This commonly happens when an LDAP server is decommissioned, or when an identity source is deleted from the environment without first running a cleanup job in Authentication Manager to clear the associated user and group records.

 

Resolution

The cleanup job is unable to run as the LDAP server is no longer reachable. To solve this problem the following should be done:

  1. Login to the Operations Console
  2. Edit the Identity Source that was deleted
  3. On the Connection(s) tab change the LDAP URL connection strings to be that of ANY valid LDAP directory. The important thing is that a test connection should be successful
  4. On the Map tab, make sure that that the User Base DN and User Group Base DN values point to values that exist in our LDAP directory
  5. Under Directory Configuration- Users, change the search filter to a value that will produce NO results. For example: 
(&(objectClass=User)(objectcategory=person)(cn=XYZABC123))
  1. Under Directory Configuration - User groups, change the seach filter to a value that will produce no results.  For example,
(&(objectClass=group)(cn=XYZABC123))
  1. Save the settings.
  2. Login to the Security Console and navigate to Setup > Identity Sources > Clean Up Unresolveable Users.
  3. Select the identity source from the drop down list.
  4. To remove the Grace Period, uncheck the option.
  5. Click Next.
  6. All users in the identity source will be displayed and can now be deleted.

Verify — Part 1: After the cleanup job completes, attempt to add the previously duplicate user ID in the Security Console. Confirm that the error This user ID is already in use by an unresolvable user in this realm no longer appears.

 

To force the clean up of  a particular user or group (for example user myuser, group mygroup)

  1. Login to the Operations Console.
  2. Edit the Identity Source that contains the user you wish clean up
  3. On the Connection(s) tab.Verify the  the LDAP URL connection strings are correct. The important thing is that a test connection should be successful.
  4. On the Map page, make sure that that User Base DN and User Group Base DN values point to values that exist in our LDAP directory/
  5. OPTIONAL IF ONLY DELETING A USER. Under Directory Configuration- Users, change the search filter to a value that will exclude the user we wish to cleanup.  For example,
(&(objectClass=User)&(objectcategory=person)&(!(sAMAccountName=myuser)))
  1. OPTIONAL IF ONLY DELETING A GROUP.  Under Directory Configuration - User groups - change the search filter to a value that will exclude the group we wish to cleanup.  FOr example,
(&(objectClass=group)&(!(cn=mygroup)))
  1. Save the settings.
  2. Go to Security Console and navigate to Setup > Identity Sources > Clean Up Unresolveable Users.
  3. To remove the Grace Period, uncheck the option.
  4. Click Next.
  5. User myuser and/or group mygroup will be scheduled for cleanup

Verify — Part 2: After the cleanup job completes, navigate to Identity > Users > Manage Existing in the Security Console. Confirm the targeted user or group no longer appears in search results.

Notes