Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Duplicate accounts are seen in IdentityIQ after an Active Directory account has a DN change

Duplicate accounts are seen in IdentityIQ after an Active Directory account has a DN change

Product

IdentityIQ 6.2x, 6.3x, 6.4x, 7.0x

 

Environment

When the end system is Active Directory.

 

Problem

After moving an Active Directory account to a different DN, two accounts (duplicates) appear; one with the old DN and one with the new DN.

 

The situation may arise when an account's DN is changed either through an IIQ process or natively. In the scenario where duplicate accounts appear, here is the situation:

  1. An account (link) already existed in IIQ before the move of the DN.
  2. A delta aggregation occurred for the AD application.
  3. The two duplicate accounts are seen for the same sAMAccountName in IIQ.

 

Root cause

To better understand why the two duplicate accounts appear, it's important to realize that IIQ needs to know the uuid of an existing account before it can know that an account with a different DN is the same account. The uuid of an Active Directory link in IIQ is the Object-Guid of the account in Active Directory. When an account is created in Active Directory, the AD system sets the Object-Guid value and this value never changes for the account afterwards.

 

When an account is created for Active Directory in IIQ, IIQ does not know the uuid of the account until an aggregation is done.  So, one may see duplicate accounts in Active Directory if the following occurs:

  1. An Active Directory account is created using IIQ.
  2. The account's DN is changed (either using IIQ or natively).
  3. A delta aggregation occurs.

 

Since the uuid value of the link in the above scenario would be absent, then the next time a delta aggregation occurs, the account with the new DN will be seen as a new account and brought over.  And since deleted accounts cannot be detected on delta aggregations, the account with the old DN is not deleted from IIQ.

 

Solution

In order to make sure that a changed DN for an account will be modified for the existing IIQ link, be sure that the link has a uuid value.  The following can be done to ensure that the uuid value is populated:

 

  1. A full aggregation is done after the account is created.
  2. A delta aggregation is done after the account is created.
  3. A "targeted" aggregation is done just for the link after the account is created. See here for more information on targeted aggregations.

 

Once the uuid is brought over, you can would see it in the identity xml for the Link. For example:

<Link created="1466110129346" displayName="test2" entitlements="true" id="4028c801555af79a01555af934c2000a" lastRefresh="1466110581833" modified="1466110582489" identity="CN=Steve Test2,CN=Users,DC=idmsupport,DC=com" uuid="{48c381c0-2386-4f2c-9d6d-00d5874edfc0}">

 

And once the valid uuid is present for the link, a DN change can be done correctly, with the delta aggregation bringing the DN change over. There would be no duplicate entries if the uuid value is present before the delta aggregation.

Labels (2)
Version history
Revision #:
2 of 2
Last update:
‎Jul 28, 2023 02:12 AM
Updated by:
Community Administrator
 
View Article History