Skip to Main Content
Forums

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Error "AlreadyExistsException" when creating a user and provisioning account with Access Policy

NGauthierSep 26 2016 — edited Oct 21 2016

Hi,

I've defined a role that gives an account in an LDAP directory based on an access policy.

When i create a user in OIM this role is automatically given to the user.

When the user account exists on the LDAP directory, the "Evaluate User Policies" task still trying to create the account and I've got this error :

[2016-09-26T15:35:24.256+02:00] [oim_server1] [ERROR] [] [ORACLE.IAM.CONNECTORS.ICFCOMMON.PROV.ICPROVISIONINGMANAGER] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 0000LT_d09e3r230FnQLRw1NuDsN000004,0] [APP: oim#11.1.2.0.0] oracle.iam.connectors.icfcommon.prov.ICProvisioningManager : createObject : Error while creating user[[
org.identityconnectors.framework.common.exceptions.AlreadyExistsException: Object Already Exists in the target
  at org.identityconnectors.framework.impl.serializer.CommonObjectHandlers$1.createException(CommonObjectHandlers.java:138)
  at org.identityconnectors.framework.impl.serializer.CommonObjectHandlers$1.createException(CommonObjectHandlers.java:135)
  at org.identityconnectors.framework.impl.serializer.CommonObjectHandlers$ThrowableHandler.deserialize(CommonObjectHandlers.java:115)
  at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder$InternalDecoder.readObject(BinaryObjectDecoder.java:162)
  at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder.readObject(BinaryObjectDecoder.java:313)
  at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder.readObjectField(BinaryObjectDecoder.java:417)
  at org.identityconnectors.framework.impl.serializer.MessageHandlers$5.deserialize(MessageHandlers.java:155)
  at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder$InternalDecoder.readObject(BinaryObjectDecoder.java:162)
  at org.identityconnectors.framework.impl.serializer.binary.BinaryObjectDecoder.readObject(BinaryObjectDecoder.java:313)
  at org.identityconnectors.framework.impl.api.remote.RemoteFrameworkConnection.readObject(RemoteFrameworkConnection.java:153)
  at org.identityconnectors.framework.impl.api.remote.RemoteOperationInvocationHandler.invoke(RemoteOperationInvocationHandler.java:101)

In the user accounts tab, the account is on status "Provisionning" and is not linked to the OIM user.

Is there a way to check if the account exists before provisionning it ?

I understand that "Access Policy Harvesting" could solve it but I can't make it work after this steps :

  • Change XL.AllowAPBasedMultipleAccountProvisioning system property value to TRUE
  • XL.AllowAPHarvesting system property value to TRUE
  • Set "Account discriminator" property value to true in the SERVER component field of the Resource Object Form

Behavior observed with Active Directory Connector and OID Connector in OIM 11gR2 PS3.

Thanks for your help
This post has been answered by NGauthier on Oct 21 2016
Jump to Answer
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Nov 18 2016
Added on Sep 26 2016
#identity-management, #identity-manager
5 comments
1,482 views