LDAP Adapter Gotcha...

The Problem: CTGIMD014I 1 reconciliation entries were not processed for the following accounts: eruid=users.

I had this problem on one of my TIM servers. It was relatively early on in the build process for this environment and I had created a service for an LDAP which I was to be provisioning user accounts. Really straight forward stuff here. But, I kept having these recon warnings. The Reconciliation would complete with the warning noted in the title of this post. The trace.log showed several errors like this one:

*********** ENTRY **********
$dn: DN:eruid=users
erLdapContainerName: dc=mydomain,dc=com
objectclass: OBJ:erLDAPUserAccount
cn: users
eruid: users
erAccountStatus: 1
*********** ENTRY END ******

![CDATA[Unable to create orphaned account]]

![CDATA[Thread 2 Encountered an exception processing eruid=users: CTGIMS001E At least one required attribute is missing.]]

So ITIM was trying to orphan a bunch of accounts and it came across an account called "users". Well the reason for this apparently is because of the fact that I had created a container in my target LDAP called cn=users. I had provisioned my LDAP users into this container. The LDAP Adapter apparently has a problem with the search base being cn=users,dc=mydomain,dc=com.

The Fix:

To fix this I simply re-created the users container as an OU. So I deleted the users from the cn=users container, then deleted the container and re-created it as an OU. I changed the search base on the service and now everything works fine.

I know that typically containers such as cn=something are usually seen more often in AD, but ITDS had no problem letting me create these. Technically for my solution it really makes no difference so it was easy enough to just blow away the containers and re-create them as OU's. Just a little gotcha with the LDAP Adapter I guess. BTW, IBM Tech support caught this very quickly where I just didn't see it. Thanks Melvin!