Sunday, June 7, 2009

How to avoid username conflict in OID during AD synchronization

Introduction

Our master source of truth for authenticating Single Sign On (SSO) users for access to the E-Business Suite is the Active Directory (AD). We periodically syncrhonize data from AD to the Oracle Internet Directory (OID) using the syncrhonization profiles.

Because Oracle SSO can work with only OID, we cannot afford any failures/mismatches between AD and OID and hence we do not let the syncrhonization to continue if an error is reported. The 'Continue after error' is set to FALSE.

One common problem in a directory is managing usernames for people with identical names. For example, an organization can have two employees with the same name viz. John Smith and John Smith respectively. The AD administrator creates these accounts as JSMITH and JSMITH1 respectively because the username has to be unique across the organization. During initial propagation to OID, these accounts will have two seperate entries in OID as the same JSMITH and JSMITH1 respectively. When JSMITH leaves the organization, the other John Smith can request for a change in his username from JSMITH1 to JSMITH (JSMITH looks good compared to JSMITH1).


Problem

The update of JSMITH1 to JSMITH generates a new change number in AD and the next syncrhonization cycle will attempt to make the corresponding change in OID too. We had such an update in AD yesterday and OID failed to process the change. The following is the error that is reported in the syncrhonization profile logfile.



Exception Doing ModRDN operation : javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=jsmith1,ou=us,dc=mycompany,dc=com'
Ignore modrdn.

Solution

At the time of processing the update, OID had the following two entries

'cn=jsmith1,ou=us,dc=mycompany,dc=com'
'cn=jsmith,ou=us,dc=mycompany,dc=com'

AD had only one entry JSMITH (after the username change by the administrator).

'cn=jsmith,ou=us,dc=mycompany,dc=com'

Because OID has an jsmith entry already, the update of JSMITH1 to JSMITH fails with the [LDAP: error code 68 - Entry Already Exists] error.

I solved the problem by deleting both the entries jsmith and jsmith1 in OID and making a fake update in AD (removed the telephone number of jsmith). The next syncrhonization job picked up the telephone number change in AD and created a new jsmith entry in OID. Once the OID processing has become successful, I corrected the telephone number in AD.

3 comments:

Anonymous said...

Hi Srinivas,
Thank you for posting all these helpful tips on OID.
I have a problem with disabled users in AD. When a user leave our company, they are not deleted, they are disabled instead in AD. We would like to delete this user in OID if they are disabled in AD. Is it possible to accomplish this through synchronization?

DBA University Blog said...

We too have the same setup in AD. Our users are just disabled in AD. In AD, we have a special attribute that gets populated for disabled accounts.

You can create a special mapping rule in the import profiles so that you capture the AD's disabled attribute and populate it in OID. Once it is there in OID, you can write a script etc. to drop them from the OID tables.

In our case, we just leave it alone in AD. When a user is disabled in AD, user authentication fails. So thats enough for our case.

Hope that helps

-Srinivas

Anonymous said...

hi ,

i just want to modify my all the username in OID with new user name in convention . how can i do it ?
is it ladpmodify ..please its urgent.

rajat
u can send me mail
rajat.dey80@gmail.com