A little bit of backgroup: In my recent SSO integration, we are using AD to OID synchronization based on Group Membership. ie. All the users who are added in a particular group will only be sync with OID and in turn with EBS.
The error that i got was while Bootstrapping users and group from AD to OID.
cn=ebsusersgroup,ou=oraworld,cn=groups,dc=ow,dc=oraworld,dc=local[LDAP: error code 20 – Attribute Or Value Exists]
Neither few of my users and not my target group was getting synchronized with OID.
Upon further analysis of log files i noticed more errors:-
<Aug 22, 2017 3:51:09 PM CEST> <Error> <oracle.dip.bootstrap> <DIP-11024> <Error occurred while loading . Ignoring cn=mark harris,ou=internal,cn=users,dc=ow,dc=oraworld,dc=local
cn=mark harris,ou=internal,cn=users,dc=ow,dc=oraworld,dc=local [LDAP: error code 68 – Object already exists]
It took a lot of digging to locate root cause. The issue was in duplicate cn of users in Active Directory. More than one user was existing in Active Directory. They had unique sAMAccountName but same cn. Hence the issue came. Apparently AD allows such data but not OID.
cn=Mark Harris (sAMAccountName = maharris)
cn=Mark Harris (sAMAccountName = mharris)
As a workaround for this issue, instead of having cn in my distinguished name (DN) in OID, I changed it to uid which mapped to sAMAccountName from AD in DIP Mapping configurations.
Hope it helps.