Active Directory Delta Aggregation Failing

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

Version 8.4

Share all details related to your problem, including any error messages you may have received.

Hello Experts,

I am facing Delta Aggregation for Active Directory and below is the error.

Exception during aggregation. Reason: java.lang.RuntimeException: [ERROR for domain - dc=xxxx,dc=xxxxxx,dc=com] java.lang.RuntimeException: Failed to read after retrying 5 times, from : dc=xxxxx,dc=xxxx,dc=com - ldap://xxxxx.xxxx.xxxx.com:636 - [LDAP: error code 50 - 00002105: LdapErr: DSID-0C090C13, comment: Error processing control, data 0, v4563]

We have noticed that if we remove the users_cookie from Application for Delta then its working properly.

Can anyone suggest me how to resolve this issue. Is there any permissions required.

Thanks

2

HI @niket345 ,

Can you please follow below link, this talks about the same error:

https://community.sailpoint.com/t5/IdentityIQ-Forum/Active-Directory-Aggregation-is-Failing-with-option-quot-Enable/m-p/122075

Thanks,
Dheeraj

3

Hello Dheeraj,

Thanks for the appointing out the thread.

I am curios that how the delta aggregation is working if we have removed the User_Cookies from application debug.

My assumption is this should not work if we don’t have required permissions.

Thanks

4

@niket345 ,

Do you mean that after removing user_Cookies your delta Aggregation is working or Full Aggregation is working, as per connector document below are the permissions required:

image
image1120×1423 159 KB

5

Full Aggregation is anyway working.
Delta aggregation is working when we removed the user_cookies from debug for once.

Yes. As per document, we need permission to run delta aggregation.

6

Hi @niket345,

Is this a multi-domain configuration?

Please note that the first time this delta aggregation task runs, it will perform a full aggregation. This is because the DirSync aggregation process relies on a cookie (provided by AD and stored in IdentityIQ) to determine which records to provide. When the task is run for the first time, the cookie is null so there is no basis for identifying which records to pull and which to ignore. After the delta aggregation task runs, the cookie value is provided to IdentityIQ by AD and is stored in the AD application definition inside IdentityIQ to use in the next delta aggregation. Subsequent delta aggregation runs will retrieve only records which have changed since the last delta aggregation, based on that cookie, and the cookie is updated at the end of each delta aggregation. Separate cookies are stored for accounts and for groups, and separate cookies are stored for each domain as well.

2 Likes