Troubleshooting
Problem
The import of a configuration into an existing organisation failed.
Symptom
These errors were seen in the client.log during the time of the failed import.
ERROR o.h.engine.jdbc.spi.SqlExceptionHelper - ERROR: duplicate key value violates unique constraint "idx_muser_ldap_dn" Detail: Key (muser_ldap_dn)=(cn=A\, User,ou=users,dc=domain,dc=com) already exists.
01:51:00.880 [http-nio-443-exec-3] ERROR o.h.engine.jdbc.spi.SqlExceptionHelper - ERROR: duplicate key value violates unique constraint "idx_muser_ldap_dn" Detail: Key (muser_ldap_dn)=(cn=A\, User,ou=users,dc=domain,dc=com) already exists.
01:51:00.894 [http-nio-443-exec-3] INFO com.co3.web.rest.Co3ExceptionMapperBase - Mapping exception to REST
javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement
at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1763)
at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)
...
Caused by: org.hibernate.exception.ConstraintViolationException: could not execute statement
at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:129)
...
Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint "idx_muser_ldap_dn"
Detail: Key (muser_ldap_dn)=(cn=A\, User,ou=users,dc=domain,dc=com) already exists.
Cause
The LDAP distinguished name (cn=A\, User,ou=users,dc=domain,dc=com) already exists within IBM Resilient, probably under a different email address, possibly an old account.
Diagnosing The Problem
Run the following query to find out of there is the same LDAP distinguished name within IBM Resilient
sudo -u postgres -i psql co3 -c "select p.principal_name, m.muser_id, m.muser_first_name, m.muser_last_name, m.muser_ldap_dn from monapp.musers m left join monapp.principals p on m.muser_id=p.principal_id where muser_ldap_dn in (select muser_ldap_dn from monapp.musers group by muser_ldap_dn having count(muser_ldap_dn) > 1);"
If this doesn't return any results run the following query replacing xxx with part of the distinguished name shown in the client.log, for example "User."
sudo -u postgres -i psql co3 -c "select p.principal_name, m.muser_id, m.muser_first_name, m.muser_last_name, m.muser_ldap_dn from monapp.musers m left join monapp.principals p on m.muser_id=p.principal_id where muser_ldap_dn in (select muser_ldap_dn from monapp.musers where muser_ldap_dn like '%xxx%');"
This will return the user's details helping you identify which user needs their distinguished name removed from IBM Resilient.
Resolving The Problem
After identifying the user details, remove their LDAP distinguished name from IBM Resilient.
sudo resutil resetuser -email <old email address> -clearldap
Try running the import again.
The above steps are useful in other circumstances where email addresses change but the user's LDAP distinguished name remains the same. This can often affect users when logging in to IBM Resilient, if their email address has changed.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z0000001gqlAAA","label":"Authentication->LDAP"}],"ARM Case Number":"TS003516765","Platform":[{"code":"PF043","label":"Red Hat"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
19 April 2021
UID
ibm16131715