Endpoint Account already exists during Provisioning Role assignment, resulting in Provisioning Server reports LDAP error 70 (0x0046 - Results too large)

Document ID : KB000046274
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

We are trying to assign Provisioning Role to Global Users for account creation purpose on some hierarchical Endpoints (i.e. Active Directory,  JNDI DYN),   but Provisioning Server reports LDAP error 70 (0x0046 - Results too large).

In etatrans log, the 'External Modify' operation got 'Results too large' error.

FAILURE: External Modify (eTGlobalUserName=xxx)
rc:  0x0046 (Results too large)
msg: ETA_E_0070<MGU>, Global User 'xxx' provisioning role memberships added successfully. Associated accounts creation or update failed: (accounts created: 0, updated: 0, re-created: 0, failures: 1)

The 'Child Add' operation got account 'Already Exists' error.

FAILURE: Child Add (eTDYNAccountName=xxx)
rc:  0x0044 (Already exists)
msg: ETA_E_0004<AAC>, User Account 'xxx' on 'xxx endpoint' creation failed: Object already exists; provisioning directory updated

Environment:

  • IM r12.6

Cause:

  • Endpoint Account already exists in the target account container
  • Endpoint Account with same account id already exists in another account container

 

Resolution:

Enable the following Synchronization settings on IM Provisioning Manager > System > Domain Configuration > Synchronization

  • Automatic Correlation = Yes (or 'Use Correlation Attr' if Correlation Attribute list has been customized)
  • Use Existing Accounts = Yes
  • Force single account across multiple containers = Target Endpoint Type;

 

Additional Information:

  1. TEC451504