none
empty metaverse object: cd-existing-object error when exporting a group RRS feed

  • Question

  • Hi all,

    I'm having some trouble with my AD connector. I'm trying to add a user to a group:

    The user was added in the connector space, and the object has a pending export status. The issue is that when I do the export, it trows me the cd-existing-object error.

    When I was investigating the issue, I found the following elements:

    • the user in question is present in AD, but is not part of the group
    • the group's metaverse object is empty: it doesn't have any attribut
    • the group doesn't apears in a metaverse search (maybe related to the above obs)

    After a day trying to solve the issue (with syncs, imports, exports, ...), I'm running out of ideas :(

    Maybe someone can help me out?

    Thanks in advance for your help,

    Marc

    Thursday, July 23, 2015 9:38 AM

All replies

  • Is the error thrown on User export or Group?

    This error is a clear indication of a duplicate object. If the user throws the error, then the CS has 2 objects that share the same anchor, sAMAccountName, or DN. If group, apparently it would be the group.


    Nosh Mernacaj, Identity Management Specialist

    Thursday, July 23, 2015 1:01 PM
  • It's a group export.

    The thing that I can't figure out is that the in the group export, the 'real operation" is a member add. The member was added in the connector space and FIM tries to (or at least it shoud) push it to the "real AD".

    I already cheched and the user is not present in the "real AD", so why the error?

    Thanks for the help,

    Marc


    • Edited by Marc_27 Friday, July 24, 2015 7:01 AM
    Friday, July 24, 2015 7:01 AM
  • If this is during a Group Export, it means your group is a duplicate, nothing wrong with the users.

    Check Connector Space for the name of the group and make sure there not 2 or more. 


    Nosh Mernacaj, Identity Management Specialist

    Friday, July 24, 2015 12:41 PM
  • Hi, thanks for the answer.

    I just search the connector space, there is just one group with this CN.

    The operation it's trying to do is a add member operation

    Friday, July 24, 2015 1:54 PM
  • What about samaccountname? Unless it is the same as cn. Can you click on the error and stack trace abd show me both views. This is definitely a dup.

    Nosh Mernacaj, Identity Management Specialist

    Friday, July 24, 2015 1:57 PM
  • Here I have 3 images:

    The error with the detail message, the CS object and the MV object.

    The weird thing for me is the MV object that is empty...

    Friday, July 24, 2015 2:10 PM
  • 1. Can you please translate the error from Stack Trace in English

    2. Object is not empty in MV, you simply are not importing any attributes into MV. There are no mapped attributes for import into MV.

    3. Can you show me the connector tab.

    4. Double click AD MA for this group and open the details.


    Nosh Mernacaj, Identity Management Specialist

    Friday, July 24, 2015 3:32 PM
  • Hello,

    I just leave work, I will poste all this info Monday morning.

    Thanks again for your help, good week-end

    Marc

    Friday, July 24, 2015 3:46 PM
  • Hi, sorry for the late answer.

    1. Here is my translation of the error message in english :

    Maybe the user account is already a member in the specified group, maybe it's impossible to delete the group as it has one member.

    The weird thing here is that the user is not a member of the group in the "real AD".

    3. Here is the connector tab picture:

    4. Sorry but I didn't understand the request, it's not my 2nd picture from above?

    Thanks again for the help,

    Marc


    • Edited by Marc_27 Monday, July 27, 2015 9:45 AM
    Monday, July 27, 2015 9:44 AM
  • Marc,

    Fact that the user is not a member in AD, does not matter.

    1. What are the group sources, such as AD and FIM Portal.  Where are groups created?

    2. Are members added\removed in AD or FIM?  What is the authoritative source?

    3. Try to disconnect this group and see if the error persists.  From this screen above, select the link and click Disconnect. 


    Nosh Mernacaj, Identity Management Specialist

    Monday, July 27, 2015 1:43 PM
  • Hello,

    I've got some updates:

    As you said, I disconnect the group and tryed to do an Export operation: it worked well, I didn't had any errors.

    The group then was marked as "Import". I did the Import operation and then it's status changed to "Pending export".

    When I did the second Export operation, the error came back.

    To respond to your question, the members are added in the groups by FIM. The groups creation is managed by a provisioning rule (I did the above operations with and without provisioning).


    • Edited by Marc_27 Tuesday, July 28, 2015 8:49 AM
    Tuesday, July 28, 2015 8:44 AM
  • I am not certain on the meaning of this part (To respond to your question, the members are added in the groups by FIM. The groups creation is managed by a provisioning rule (I did the above operations with and without provisioning).)

    can you delete the group in AD and run the following.

    1. Delta Import AD MA

    2. Delta Sync AD MA

    This should create a pending export to AD

    3. Export AD MA

    4. Delta Import AD MA

    5. Delta Sync AD MA

    If the error is gone, please check joining rules for groups. Make sure groups are joined before a provisioning is attempted. 


    Nosh Mernacaj, Identity Management Specialist

    Tuesday, July 28, 2015 1:07 PM