Sync log says " The object (grp_name) of (LDAPGroup) was ignored during synchronization. Reason: The object has pending M:N provisioning tasks".
In which of table(s) can I find those pending tasks?
Thanks!
Sync log says " The object (grp_name) of (LDAPGroup) was ignored during synchronization. Reason: The object has pending M:N provisioning tasks".
In which of table(s) can I find those pending tasks?
Thanks!
You could check the table DPRMemberShipAction. The XObjectKey of your group should be appear in property ObjectKeyBase.
Explanation you still have provisioning jobs in the job queue for these groups.
Hi Markus,
I removed the LDAPAccount from LDAPGroup and all related processes went well with no error. The job queue / db queue no longer had any jobs. What could be the cause that these jobs were stored in DPRMemberShipAction and how they would be executed to perform the group member removal in target system?
Hi,
your LDAP is configured to do single ad-hoc membership changes for the provisioning tasks. So for any membership change an entry will be recorded in DPRMembershipAction. These entries will be used by the ad-hoc provisioning steps in addition to the normal object information.
I think you may have deleted some jobs from the job queue and therefore these entries are still in the DPRMembershipAction table.
You will find more information about single membership provisioning in the onlince documentation.
Markus,
I monitored each of steps for the group membership deprovisioning and they were exactly happened as described in the section "Synchronizing and Provisioning Memberships" but the membership was not removed in target system (RACF LDAP). I tested the same case in a pure LDAP environment and all worked as expected. I looked into Assignment table and Base table that involved in the process of membership removal and found that there was only an entry for LDAPAccountInLDAPGroup - LDAP with DPRNameSpace "LDAP" in table "DPRNameSpaceHasDialogTable". RACF LDAP namespce is "RACF" so I guess there is no QBMRelation between Assignment table and Base table. Could it cause the problem?
Should I add a new entry to "DPRNameSpaceHasDialogTable" for DPRNameSpace "RACF"? (I did change RACF to LDAP but received DPRSchema invalid error).
Please advise how to workaround the issue. Thank you!
I would suggest, that you take a look into the One Identity Manager Connector User Guid. There is a section about how to configure the membership provisioning.
When you are syncing the data into a DPRNameSpace called RACF you need to add the additional entries. But there is no need to use the ObjectBrowser as there are forms for it in the Manager.