Delete a duplicate user or duplicate group and run a schedule cleanup job when the identity source no longer exists in RSA Authentication Manager 8.x
2 years ago
Originally Published: 2012-11-27
Article Number
000046492
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 7.1, 8.x
Issue
This article explains how to run a scheduled cleanup job when the identity source no longer exists and then how to force the cleanup of a particular user or group

Adding a user with the same user ID gives the following error message

There was a problem processing your request.

Cannot add or manage a user with user ID <user ID>. Your deployment is configured to not allow duplicate user IDs in a realm. This user ID is already in use by an unresolvable user in this realm.

For more information, see the Troubleshooting appendix in the Administrator's Guide.

Running a one time clean up job fails with the message in the system log:
 
Unable to connect to LDAP Identity Source
Skipping identity source: 1acf46bc2cf7b50a03897609cbd4d0ff (myidentitysource.com Unable to run the cleanup job because the of the error LDAP_CONNECTION_FAILED
com.rsa.ims.admin.dal.ldap.ConnectionException: Error connecting to the identity source
 
The following identity sources were unavailable while generating the list of unresolvable users if you want to clean up users from all your identity sources, make sure that all identity sources are available and configure settings again
Resolution
The cleanup job is unable to run as the LDAP server is no longer reachable. To solve this problem the following should be done:
  1. Login to the Operations Console
  2. Edit the Identity Source that was deleted
  3. On the Connection(s) tab change the LDAP URL connection strings to be that of ANY valid LDAP directory. The important thing is that a test connection should be successful
  4. On the Map tab, make sure that that the User Base DN and User Group Base DN values point to values that exist in our LDAP directory
  5. Under Directory Configuration- Users, change the search filter to a value that will produce NO results. For example: 
(&(objectClass=User)(objectcategory=person)(cn=XYZABC123))
  1. Under Directory Configuration - User groups, change the seach filter to a value that will produce no results.  For example,
(&(objectClass=group)(cn=XYZABC123))
  1. Save the settings.
  2. Login to the Security Console and navigate to Setup > Identity Sources > Clean Up Unresolveable Users.
  3. Select the identity source from the drop down list.
  4. To remove the Grace Period, uncheck the option.
  5. Click Next.
  6. All users in the identity source will be displayed and can now be deleted.
To force the clean up of  a particular user or group (for example user myuser, group mygroup)
  1. Login to the Operations Console.
  2. Edit the Identity Source that contains the user you wish clean up
  3. On the Connection(s) tab.Verify the  the LDAP URL connection strings are correct. The important thing is that a test connection should be successful.
  4. On the Map page, make sure that that User Base DN and User Group Base DN values point to values that exist in our LDAP directory/
  5. OPTIONAL IF ONLY DELETING A USER. Under Directory Configuration- Users, change the search filter to a value that will exclude the user we wish to cleanup.  For example,
(&(objectClass=User)&(objectcategory=person)&(!(sAMAccountName=myuser)))
  1. OPTIONAL IF ONLY DELETING A GROUP.  Under Directory Configuration - User groups - change the search filter to a value that will exclude the group we wish to cleanup.  FOr example,
(&(objectClass=group)&(!(cn=mygroup)))
  1. Save the settings.
  2. Go to Security Console and navigate to Setup > Identity Sources > Clean Up Unresolveable Users.
  3. To remove the Grace Period, uncheck the option.
  4. Click Next.
  5. User myuser and/or group mygroup will be scheduled for cleanup

Related Articles

Trending Articles

Don't see what you're looking for?